# INSTALL INSTRUCTIONS: save as -/.gdbinit 

# 

# DESCRIPTION: A user-friendly gdb configuration file, for x86/x86_64 and ARM 
platforms . 

# 

# REVISION : 8.0.5 (18/08/2013) 

# 

# CONTRIBUTORS: mammon_, elaine, pusillus, mong, zhang le, 10kit, 

# truthix the cyberpunk, f G ! , gin 

# 

# FEEDBACK: http://reverse.put.as - reverser§put . as 

# 

# NOTES: 'help user' in gdb will list the commands/descriptions in this file 

# 'context on' now enables auto-display of context screen 

# 

# MAC OS X NOTES: If you are using this on Mac OS X, you must either attach gdb to 
a process 

# or launch gdb without any options and then load the binary file 
you want to analyse with "exec-file" option 

# If you load the binary from the command line, like $gdb binary- 
name, this will not work as it should 

# For more information, read it here 
http : //reverse . put . as/2008/ll/28/apples-gdb-bug/ 

# 

# UPDATE: This bug can be fixed in gdb source. Refer to 

http://reverse.put.as/2009/08/10/fix-for-apples-gdb-bug-or-why-apple-forks-are-bad/ 

# and http://reverse.put.as/2009/08/26/gdb-patches/ (if you want the fixed 
binary for i386) 

# 

# An updated version of the patch and binary is available at 
http : //reverse . put . as/2011/02/21/update- to -gdb -patches -fix- a- new- bug/ 

# 

# iOS NOTES: iOS gdb from Cydia (and Apple's) suffer from the same OS X bug. 

# If you are using this on Mac OS X or iOS, you must either attach 
gdb to a process 

# or launch gdb without any options and then load the binary file you 
want to analyse with "exec-file" option 

# If you load the binary from the command line, like $gdb binary-name, 
this will not work as it should 

# For more information, read it here 
http : //reverse . put . as/2008/ll/28/apples-gdb-bug/ 

# 

# CHANGELOG: (older changes at the end of the file) 

# 

# Version 8.0.6 (05/09/2013) 

# - Add patch command to convert bytes to little-endian and patch memory 

# 

# Version 8.0.5 (18/08/2013) 

# - Add commands header and loadcmds to dump Mach-0 header information 

# - Other fixes and additions from previous commits 

# 

# Version 8.0.4 (08/05/2013) 

# - Detect automatically 32 or 64 bits archs using sizeof (void* ) . 

# Thanks to Tyilo for the simple but very effective idea! 

# - Typo in hexdump command also fixed by vuquangtrong . 

# - Add shortcuts to attach to VMware kernel debugging gdb stub (kernel32 and 

kernel64) 

# 

# Version 8.0.3 (21/03/2013) 



# - Add option to colorize or not output (thanks to argp and skier for the 
request and ideas!) 

# - Convert the escape codes into functions so colors can be easily customized 

# - Other enhancements available at git commit logs 

# Thanks to Plouj, argp, xristos for their ideas and fixes! 

# 

# Version 8.0.2 (31/07/2012) 

# - Merge pull request from mheistermann to support local modifications in a 
. gdbinit. local file 

# - Add a missing opcode to the stepo command 

# 

# Version 8.0.1 (23/04/2012) 

# - Small bug fix to the attsyntax and intelsyntax commands (changing X86 
flavor variable was missing) 

# 

# Version 8.0 (13/04/2012) 

# - Merged x86/x64 and ARM versions 

# - Added commands intelsyntax and attsyntax to switch between x86 disassembly 
flavors 

# - Added new configuration variables ARM, ARMOPCODES, and X86FLAVOR 

# - Code cleanups and fixes to the indentation 

# - Bug fixes to some ARM related code 

# - Added the dumpmacho command to memory dump the mach-o header to a file 

# 

# TODO: 

# 

# gdb options 

# set to 1 to have ARM target debugging as default, use the "arm" command to switch 
inside gdb 

set $ARM = 0 

# set to 0 if you have problems with the colorized prompt - reported by Plouj with 
Ubuntu gdb 7.2 

set SCOLOREDPROMPT = 1 

# color the first line of the disassembly - default is green, if you want to change 
it search for 

# SETCOLOR1STLINE and modify it :-) 
set $SETC0L0R1STLINE = 0 

# set to 0 to remove display of objectivec messages (default is 1) 
set $SHOWOBJECTIVEC = 1 

# set to 0 to remove display of cpu registers (default is 1) 
set SSHOWCPUREGISTERS =1 

# set to 1 to enable display of stack (default is 0) 
set $SHOWSTACK = 0 

# set to 1 to enable display of data window (default is 0) 
set $SHOWDATAWIN = 0 

# set to 0 to disable colored display of changed registers 
set SSHOWREGCHANGES = 0 

# set to 1 so skip command to execute the instruction at the new location 

# by default it EIP/RIP will be modified and update the new context but not execute 
the instruction 

set SSKIPEXECUTE = 0 

# if SSKIPEXECUTE is 1 configure the type of execution 

# 1 = use stepo (do not get into calls), 0 = use stepi (step into calls) 
set SSKIPSTEP = 1 

# show the ARM opcodes - change to 0 if you don't want such thing (in x/i command) 
set SARMOPCODES = 1 

# x86 disassembly flavor: 0 for Intel, 1 for AT&T 



set SX86FLAV0R = 0 

# use colorized output or not 
set SUSECOLOR = 0 

# to use with remote KDP 
set SKDP64BITS = -1 

set $64BITS = 0 

set confirm off 
set verbose off 

set history filename -/ . gdb_history 
set history save 

set output-radix 0x10 
set input -radix 0x10 

# These make gdb never pause in its output 
set height 0 

set width 0 

set $SHOW_CONTEXT = 1 
set $SHOW_NEST_INSN = 0 

set $CONTEXTSIZE_STACK = 6 
set $CONTEXTSIZE_DATA = 8 
set $CONTEXTSIZE_CODE = 8 

# end gdb options 

# 

# color functions 

# 

# color codes 
set SBLACK = 0 
set $RED = 1 
set $GREEN = 2 
set SYELLOW = 3 
set $BLUE = 4 
set SMAGENTA = 5 
set SCYAN = 6 
set SWHITE = 7 

# CHANGME : If you want to modify the "theme" change the colors here 

# or just create a -/. gdbinit . local and set these variables there 
set $COLOR_REGNAME = $GREEN 

set $COLOR_REGVAL = SBLACK 
set $COLOR_REGVAL_MODIFIED = $RED 
set $COLOR_SEPARATOR = $BLUE 
set $COLOR_CPUFLAGS = $RED 

# this is ugly but there's no else if available :-( 
define color 

if SUSECOLOR == 1 
# BLACK 
if SargO == 0 

echo \033[30m 

else 

# RED 

if SargO == 1 

echo \033[31m 



else 


end 

end 


end 

end 


# GREEN 
if $argG == 2 

echo \033[32m 

else 

# YELLOW 
if $arg0 == 3 

echo \033[33m 

else 

# BLUE 

if $arg0 == 4 

echo \033 [34m 

else 

# MAGENTA 
if $arg0 == 5 

echo \033[35m 

else 

# CYAN 

if $arg0 == 6 

echo \033[36m 

else 

# WHITE 
if $arg0 == 7 

echo \033[37m 
end 
end 
end 
end 
end 
end 


define color_reset 

if $USECOLOR == 1 
echo \033[0m 
end 


define color_bold 

if SUSECOLOR == 1 
echo \033[lm 
end 
end 

define color_underline 
if SUSECOLOR == 1 
echo \033[4m 
end 
end 

# this way anyone can have their custom prompt - argp's idea :-) 

# can also be used to redefine anything else in particular the colors aka theming 

# just remap the color variables defined above 
source -/.gdbinit .local 

# can't use the color functions because we are using the set command 



if $COLOREDPROMPT == 1 

set prompt \033[31mgdb$ \033[0m 
end 

# Initialize these variables else comparisons will fail for coloring 

# we must initialize all of them at once, 32 and 64 bits, and ARM. 
set Soldrax = 0 

set Soldrbx = 0 
set Soldrcx = 0 
set Soldrdx = 0 
set Soldrsi = 0 
set Soldrdi = 0 
set Soldrbp = 0 
set Soldrsp = 0 
set $oldr8 = 0 
set $oldr9 = 0 
set $oldrl0 = 0 
set Soldrll = 0 
set $oldrl2 = 0 
set $oldrl3 = 0 
set $oldrl4 = 0 
set $oldrl5 = 0 
set Soldeax = 0 
set Soldebx = 0 
set Soldecx = 0 
set Soldedx = 0 
set Soldesi = 0 
set Soldedi = 0 
set Soldebp = 0 
set Soldesp = 0 
set $oldr0 = 0 
set Soldrl = 0 
set $oldr2 = 0 
set $oldr3 = 0 
set $oldr4 = 0 
set $oldr5 = 0 
set $oldr6 = 0 
set $oldr7 = 0 
set Soldsp = 0 
set Soldlr = 0 

# used by ptraceme/rptraceme 
set $ptrace_bpnum = 0 

# window size control 

define contextsize-stack 

if $argc I® 1 

help contextsize-stack 

else 

set $CONTEXTSIZE_STACK = $arg0 

end 

end 

document contextsize-stack 
Syntax: contextsize-stack NUM 
| Set stack dump window size to NUM lines, 
end 


define contextsize-data 



if Sargc != 1 

help contextsize-data 

else 

set $CONTEXTSIZE_DATA = $arg0 
end 
end 

document contextsize-data 
Syntax: contextsize-data NUM 
| Set data dump window size to NUM lines, 
end 


define contextsize-code 
if $argc != 1 

help contextsize-code 

else 

set $CONTEXTSIZE_CODE = SargO 
end 
end 

document contextsize-code 
Syntax: contextsize-code NUM 
| Set code window size to NUM lines, 
end 


# breakpoint aliases 

define bpl 

info breakpoints 
end 

document bpl 
Syntax: bpl 

| List all breakpoints, 
end 


define bp 

if $argc != 1 
help bp 

else 

break $arg0 
end 
end 

document bp 
Syntax: bp LOCATION 
| Set breakpoint. 

j LOCATION may be a line number, function name, or "*" and an address, 
j To break on a symbol you must enclose symbol name inside 
j Example: 

j bp "[NSControl stringValue] " 

j Or else you can use directly the break command (break [NSControl stringValue]) 
end 


define bpc 

if $argc != 1 
help bpc 

else 

clear SargO 


end 



end 

document bpc 
Syntax: bpc LOCATION 
| Clear breakpoint. 

j LOCATION may be a line number, function name, or "*" and 
end 


define bpe 

if $argc != 1 
help bpe 

else 

enable SargO 
end 


end 

document bpe 
Syntax: bpe NUM 

| Enable breakpoint with number NUM. 
end 


define bpd 

if Sargc != 1 
help bpd 

else 

disable SargO 
end 


end 

document bpd 
Syntax: bpd NUM 

| Disable breakpoint with number NUM. 
end 


define bpt 

if Sargc != 1 
help bpt 

else 

tbreak SargO 
end 
end 

document bpt 

Syntax: bpt LOCATION 

| Set a temporary breakpoint. 

j This breakpoint will be automatically deleted when hit ! . 
j LOCATION may be a line number, function name, or "*" and 
end 


define bpm 

if Sargc != 1 
help bpm 

else 

awatch SargO 
end 
end 

document bpm 
Syntax: bpm EXPRESSION 

| Set a read/write breakpoint on EXPRESSION, e.g. ‘address. 


address 


address 



end 


define bhb 

if $argc != 1 
help bhb 

else 

hb $arg0 
end 


end 

document bhb 

Syntax: bhb LOCATION 

| Set hardware assisted breakpoint. 

j LOCATION may be a line number, function name, or "*" and an address, 
end 


define bht 

if Sargc != 1 
help bht 

else 

thbreak SargO 
end 


end 

document bht 
Usage: bht LOCATION 

| Set a temporary hardware breakpoint. 

j This breakpoint will be automatically deleted when hit! 

j LOCATION may be a line number, function name, or "*" and an address. 

end 


# process information. 

define argv 
show args 
end 

document argv 
Syntax: argv 

| Print program arguments, 
end 


define stack 

if Sargc == 0 
info stack 
end 

if Sargc == 1 

info stack SargO 
end 

if Sargc > 1 
help stack 
end 
end 

document stack 
Syntax: stack <COUNT> 

| Print backtrace of the call stack, 
end 


or innermost COUNT frames. 



define frame 
info frame 
info args 
info locals 
end 

document frame 
Syntax: frame 
| Print stack frame, 
end 


define flagsarm 

# conditional flags are 

# negative/less than (N), bit 31 of CPSR 

# zero (Z), bit 30 

# Carry/Borrow/Extend (C), bit 29 

# Overflow (V), bit 28 

# negative/less than (N), bit 31 of CPSR 
if (($cpsr » 0xlf) & 1) 

printf "N " 

set $_n_flag = 1 

else 

printf "n " 

set $_n_flag = 0 
end 

# zero (Z), bit 30 

if (($cpsr » 0xle) & 1) 
printf "Z " 

set $_z_flag = 1 

else 

printf "z " 

set $_z_flag = 0 
end 

# Carry/Borrow/Extend (C), bit 29 
if (($cpsr » 0xld) & 1) 

printf "C " 
set $_c_flag = 1 
else 

printf "c " 

set $_c_flag = 0 
end 

# Overflow (V), bit 28 
if ((Scpsr » 0xlc) & 1) 

printf "V " 
set $_v_flag = 1 

else 

printf "v " 
set $_v_flag = 0 
end 

# Sticky overflow (Q), bit 27 
if ( (Scpsr » 0xlb) & 1) 

printf "Q " 
set $_q_flag = 1 

else 

printf "q " 
set $_q_flag = 0 
end 


# Java state bit (J), bit 24 

# When T=1 : 



# J = 0 The processor is in Thumb state. 

# J = 1 The processor is in ThumbEE state, 
if ( (Scpsr » 0x18) & 1) 

printf "J " 
set $_j_flag = 1 

else 

printf "j " 
set $_j_flag = 0 
end 

# Data endianness bit (E), bit 9 
if (($cpsr » 9) & 1) 

printf "E " 
set $_e_flag = 1 

else 

printf "e " 
set $_e_flag = 0 
end 

# Imprecise abort disable bit (A), bit 8 

# The A bit is set to 1 automatically. It is used to disable imprecise data 
aborts . 

# It might not be writable in the Nonsecure state if the AW bit in the SCR 
register is reset. 

if (($cpsr » 8) & 1) 
printf "A " 
set $_a_flag = 1 

else 

printf "a " 
set $_a_flag = 0 
end 

# IRQ disable bit (I), bit 7 

# When the I bit is set to 1, IRQ interrupts are disabled, 
if ((Scpsr » 7) & 1) 

printf "I " 
set $_i_flag = 1 

else 

printf "i " 
set $_i_flag = 0 
end 

# FIQ disable bit (F), bit 6 

# When the F bit is set to 1, FIQ interrupts are disabled. 

# FIQ can be nonmaskable in the Nonsecure state if the FW bit in SCR register 
is reset. 

if ((Scpsr » 6) & 1) 
printf "F " 
set $_f_flag = 1 

else 

printf "f " 
set $_f_flag = 0 
end 

# Thumb state bit (F), bit 5 

# if 1 then the processor is executing in Thumb state or ThumbEE state 
depending on the J bit 

if ((Scpsr » 5) & 1) 
printf "T " 
set $_t_flag = 1 

else 

printf "t " 
set $_t_flag = 0 


end 



# TODO: GE bit ? 


end 

document flagsarm 
Syntax: flagsarm 

| Auxiliary function to set ARM cpu flags, 
end 


define flagsx86 

# OF (overflow) flag 

if (((unsigned int)$eflags » 0xB) & 1) 
printf "0 " 
set $_of_flag = 1 

else 

printf "o " 
set $_of_flag = 0 
end 

# DF (direction) flag 

if (((unsigned int)$eflags » 0xA) & 1) 
printf "D " 

else 

printf "d " 
end 

# IF (interrupt enable) flag 

if (((unsigned int)$eflags » 9) & 1) 
printf "I " 

else 

printf "i " 
end 

# TF (trap) flag 

if (((unsigned int)$eflags » 8) & 1) 
printf "T " 

else 

printf "t " 
end 

# SF (sign) flag 

if (((unsigned int)$eflags » 7) & 1) 
printf "S " 
set $_sf_flag = 1 

else 

printf "s " 
set $_sf_flag = 0 
end 

# ZF (zero) flag 

if (((unsigned int)$eflags » 6) & 1) 
printf "Z " 
set $_zf_flag = l 
else 

printf "z " 

set $_zf_flag = 0 
end 

# AF (adjust) flag 

if (((unsigned int)$eflags » 4) & 1) 
printf "A " 

else 

printf "a " 
end 

# PF (parity) flag 

if (((unsigned int)$eflags » 2) & 1) 



printf "P " 

set $_pf_flag = 1 

else 

printf "p " 
set $_pf_flag = 0 
end 

# CF (carry) flag 
if ((unsigned int)$eflags & 1) 
printf "C " 

set $_cf_flag = 1 

else 

printf "c " 
set $_cf_flag = 0 
end 

printf "\n" 
end 

document flagsx86 
Syntax: flagsx86 

| Auxiliary function to set X86/X64 cpu flags. 


define flags 

# call the auxiliary functions based on target cpu 
if $ARM == 1 
flagsarm 

else 

flagsx86 

end 

end 

document flags 
Syntax: flags 
| Print flags register, 
end 


define eflags 

if $ARM == 1 

# http : //www. hey rick . co . uk/armwiki/The_Status_register 
printf " N <%d> Z <%d> C <%d> V <%d>",\ 

(($cpsr » 0xlf) & 1), (($cpsr » 0xle) & 1), \ 

(($cpsr » 0xld) & 1), (($cpsr » 0xlc) & 1) 

printf " Q <%d> J <%d> GE <%d> E <%d> A <%d>",\ 

(($cpsr » 0xlb) & 1), (($cpsr » 0x18) & 1),\ 

(($cpsr » 0x10) & 7), (($cpsr » 9) & 1), (($cpsr » 8) & 1) 

printf " I <%d> F <%d> T <%d> \n",\ 

(($cpsr » 7) & 1), ((Scpsr » 6) & 1), \ 

(($cpsr » 5) & 1) 

else 

printf " OF <%d> DF <%d> IF <%d> TF <%d>",\ 

(((unsigned int)$eflags » 0xB) & 1), (((unsigned int)$eflags » 

0xA) & 1), \ 

(((unsigned int)$eflags » 9) & 1), (((unsigned int)$eflags » 8) & 
l) 

printf " SF <%d> ZF <%d> AF <%d> PF <%d> CF <%d>\n",\ 

(((unsigned int)$eflags » 7) & 1), (((unsigned int)$eflags » 6) & 

l),\ 

(((unsigned int)$eflags » 4) & 1), (((unsigned int)$eflags » 2) & 
1), ((unsigned int)$eflags & 1) 



printf " ID <%d> VIP <%d> VIF <%d> AC <%d>",\ 

(((unsigned int)$eflags » 0x15) & 1), (((unsigned int)$eflags » 

0x14) & 1), \ 

(((unsigned int)$eflags » 0x13) & 1), (((unsigned int)$eflags » 

0x12) & 1) 

printf " VM <%d> RF <%d> NT <%d> IOPL <%d>\n",\ 

(((unsigned int)$eflags » 0x11) & 1), (((unsigned int)$eflags » 

0x10) & 1),\ 

(((unsigned int)$eflags » 0xE) & 1), (((unsigned int)$eflags » 

0xC) & 3) 
end 
end 

document eflags 
Syntax: eflags 
| Print eflags register, 
end 


define cpsr 
eflags 
end 

document cpsr 
Syntax: cpsr 
| Print cpsr register, 
end 

define regarm 
printf " " 

# R0 

color $COLOR_REGNAME 
printf "R0:" 

if ($r0 ! = $oldr0 && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $r0 

# R1 

color $COLOR_REGNAME 
printf "Rl:" 

if ($rl ! = Soldrl && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $rl 

# R2 

color $COLOR_REGNAME 
printf "R2 : " 

if ($r2 ! = $oldr2 && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $r2 

# R3 

color $COLOR_REGNAME 
printf "R3:" 

if ($r3 != Soldr3 && SSHOWREGCHANGES == 1) 



color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X\n", $r3 

printf " " 

# R4 

color $COLOR_REGNAME 
printf "R4:" 

if ($r4 ! = $oldr4 && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $r4 

# R5 

color $COLOR_REGNAME 
printf "R5:" 

if ($r5 ! = $oldr5 && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $r5 

# R6 

color $COLOR_REGNAME 
printf "R6:" 

if ($r6 ! = Soldr6 && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $r6 

# R7 

color $COLOR_REGNAME 
printf "R7:" 

if ($r7 ! = Soldr7 && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X\n", $r7 

printf " " 

# R8 

color $COLOR_REGNAME 
printf "R8 : " 

if ($r8 ! = Soldr8 && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $r8 

# R9 

color $COLOR_REGNAME 
printf "R9 : " 

if ($r9 ! = Soldr9 && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 


color $COLOR_REGVAL 



end 

printf " 0x%08X ", $r9 

# R10 

color $COLOR_REGNAME 
printf "R10:" 

if ($rl0 ! = $oldrl0 && $SHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $rl0 

# Rll 

color $COLOR_REGNAME 
printf "Rll:" 

if ($rll ! = Soldrll && $SHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $rll 

dumpjump 

printf "\n" 

# R12 

color $COLOR_REGNAME 
printf " R12:" 

if ($rl2 ! = $oldrl2 && $SHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X" , $rl2 
printf " " 

# SP 

color $COLOR_REGNAME 
printf "SP:" 

if ($sp ! = Soldsp && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $sp 

# LR 

color $COLOR_REGNAME 
printf "LR:" 

if ($lr ! = Soldlr && $SHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $lr 

# PC 

color $COLOR_REGNAME 
printf "PC:" 

color $COLOR_REGVAL_MODIFIED 

printf " 0x%08X ", $pc 

color_bold 

color_underline 

color $COLOR_CPUFLAGS 

flags 



color_reset 
printf "\n" 
end 

document regarm 
Syntax: regarm 

| Auxiliary function to display ARM registers, 
end 

define regx64 

# 64bits stuff 

printf " " 

# RAX 

color $COLOR_REGNAME 
printf "RAX:" 

if ($rax ! = Soldrax && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X ", $rax 

# RBX 

color $COLOR_REGNAME 
printf "RBX:" 

if ($rbx != Soldrbx && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X ", $rbx 

# RBP 

color $COLOR_REGNAME 
printf "RBP:" 

if ($rbp ! = Soldrbp && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X ", $rbp 

# RSP 

color $COLOR_REGNAME 
printf "RSP:" 

if (Srsp != Soldrsp && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X ", Srsp 

color_bold 

color_underline 

color $COLOR_CPUFLAGS 

flags 

color_reset 
printf " " 

# RDI 

color $COLOR_REGNAME 
printf "RDI:" 

if (Srdi ! = Soldrdi && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 



color $COLOR_REGVAL 


end 

printf " 0x%0161X ", $rdi 

# RSI 

color $COLOR_REGNAME 
printf "RSI:" 

if ($rsi ! = Soldrsi && SSHOWREGCHANGES 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X ", $rsi 

# RDX 

color $COLOR_REGNAME 
printf "RDX:" 

if ($rdx ! = Soldrdx && SSHOWREGCHANGES 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%016lX ", $rdx 

# RCX 

color $COLOR_REGNAME 
printf "RCX:" 

if ($rcx ! = Soldrcx && SSHOWREGCHANGES 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X ", $rcx 

# RIP 

color $COLOR_REGNAME 
printf "RIP:" 

color $COLOR_REGVAL_MODIFIED 
printf " 0x%0161X\n ", $rip 

# R8 

color $COLOR_REGNAME 
printf "R8 :" 

if ($r8 ! = $oldr8 && SSHOWREGCHANGES = 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X ", $r8 

# R9 

color $COLOR_REGNAME 
printf "R9 :" 

if ($r9 ! = $oldr9 && SSHOWREGCHANGES == 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X ", $r9 

# R10 

color $COLOR_REGNAME 
printf "R10:" 

if (Srio ! = SoldrlO && SSHOWREGCHANGES = 
color $COLOR_REGVAL_MODIFIED 

else 



color $COLOR_REGVAL 
end 

printf " 0x%0161X ", $rl0 

# Rll 

color $COLOR_REGNAME 
printf "Rll:" 

if ($rll ! = Soldrll && $SHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X ", $rll 

# R12 

color $COLOR_REGNAME 
printf "R12 : " 

if ($rl2 ! = $oldrl2 && $SHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%016lX\n ", $rl2 

# R13 

color $COLOR_REGNAME 
printf "R13:" 

if ($rl3 ! = $oldrl3 && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X ", $rl3 

# R14 

color $COLOR_REGNAME 
printf "R14:" 

if ($rl4 ! = $oldrl4 && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X ", $rl4 

# R15 

color $COLOR_REGNAME 
printf "R15:" 

if ($rl5 ! = $oldrl5 && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%0161X\n ", $rl5 

color $COLOR_REGNAME 
printf "CS:" 
color $COLOR_REGVAL 
printf " %04X ", Scs 

color $COLOR_REGNAME 
printf "DS:" 
color $COLOR_REGVAL 
printf " %04X ", Sds 

color $COLOR_REGNAME 
printf "ES:" 
color $COLOR_REGVAL 



printf " %04X ", $es 

color $COLOR_REGNAME 
printf "FS:" 
color $COLOR_REGVAL 
printf " %04X ", $fs 

color $COLOR_REGNAME 
printf "GS:" 
color $COLOR_REGVAL 
printf " %04X ", $gs 

color $COLOR_REGNAME 
printf "SS:" 
color $COLOR_REGVAL 
printf " %04X", $ss 
color_reset 


document regx64 
Syntax: regx64 

| Auxiliary function to display X86_64 registers, 
end 


define regx86 
printf " " 

# EAX 

color $COLOR_REGNAME 
printf "EAX:" 

if ($eax ! = Soldeax && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $eax 

# EBX 

color $COLOR_REGNAME 
printf "EBX:" 

if ($ebx !~ Soldebx && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $ebx 

# ECX 

color $COLOR_REGNAME 
printf "ECX:" 

if ($ecx ! = Soldecx && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $ecx 

# EDX 

color $COLOR_REGNAME 
printf "EDX:" 

if ($edx ! = Soldedx && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", Sedx 



color_bold 
color_underline 
color $COLOR_CPUFLAGS 
flags 

color_reset 
printf " " 

# ESI 

color $COLOR_REGNAME 
printf "ESI:" 

if ($esi ! = Soldesi && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $esi 

# EDI 

color $COLOR_REGNAME 
printf "EDI:" 

if ($edi ! = Soldedi && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", $edi 

# EBP 

color $COLOR_REGNAME 
printf "EBP:" 

if ($ebp ! = Soldebp && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", Sebp 

# ESP 

color $COLOR_REGNAME 
printf "ESP:" 

if (Sesp ! = Soldesp && SSHOWREGCHANGES == 1) 
color $COLOR_REGVAL_MODIFIED 

else 

color $COLOR_REGVAL 
end 

printf " 0x%08X ", Sesp 

# EIP 

color $COLOR_REGNAME 
printf "EIP:" 

color $COLOR_REGVAL_MODIFIED 
printf " 0x%08X\n ", Seip 

color $COLOR_REGNAME 
printf "CS:" 
color $COLOR_REGVAL 
printf " %04X ", Scs 

color $COLOR_REGNAME 
printf "DS:" 
color $COLOR_REGVAL 
printf " %04X ", Sds 

color $COLOR_REGNAME 
printf "ES:" 
color $COLOR_REGVAL 
printf " %04X ", Ses 



color $COLOR_REGNAME 
printf "FS:" 
color $COLOR_REGVAL 
printf " %04X ", $fs 

color $COLOR_REGNAME 
printf "GS:" 
color $COLOR_REGVAL 
printf " %04X ", $gs 

color $COLOR_REGNAME 
printf "SS:" 
color $COLOR_REGVAL 
printf " %04X", $ss 
color_reset 
end 

document regx86 
Syntax: regx86 

| Auxiliary function to display X86 registers. 


define reg 

if $ARM == 1 
regarm 

if (SSHOWREGCHANGES == 1) 
set $oldr0 = $r0 
set Soldrl = $rl 
set $oldr2 = $r2 
set $oldr3 = $r3 
set $oldr4 = $r4 
set $oldr5 = $r5 
set $oldr6 = $r6 
set $oldr7 = $r7 
set $oldr8 = $r8 
set $oldr9 = $r9 
set $oldrl0 = $rl0 

set Soldrll = $rll 
set $oldrl2 = $rl2 
set $oldsp = $sp 
set $oldlr = $lr 
end 

else 

if (S64BITS == 1) 
regx64 

else 

regx86 

end 

# call smallregisters 
smallregisters 

# display conditional jump routine 
if (S64BITS == 1) 

printf "\t\t\t\t" 
end 

dump jump 
printf "\n" 

if ( SSHOWREGCHANGES == 1) 
if (S64BITS == 1) 

set Soldrax = $rax 

set Soldrbx = $rbx 
set Soldrcx = $rcx 



set $oldrdx = $rdx 
set $oldrsi = $rsi 
set $oldrdi = $rdi 
set $oldrbp = $rbp 
set $oldrsp = $rsp 
set $oldr8 = $r8 
set $oldr9 = $r9 
set SoldrlG = $rl0 
set $oldrll = $rll 

set $oldrl2 = $rl2 
set $oldrl3 = $rl3 
set $oldrl4 = $rl4 
set $oldrl5 = $rl5 

else 

set $oldeax = $eax 
set $oldebx = $ebx 

set $oldecx = $ecx 
set $oldedx = $edx 
set $oldesi = $esi 
set $oldedi = $edi 

set $oldebp = $ebp 
set $oldesp = $esp 
end 
end 
end 
end 

document reg 
Syntax: reg 
| Print CPU registers, 
end 


define smallregisters 
if (S64BITS == 1) 

#64bits stuff 

# from rax 

set $eax = $rax & 0xffffffff 
set $ax = $rax & 0xffff 
set Sal = Sax & 0xff 
set Sah = Sax » 8 

# from rbx 

set Sebx = Srbx & ©xffffffff 
set Sbx = Srbx & 0xffff 
set $bl = Sbx & 0xff 
set $bh = Sbx » 8 

# from rex 

set Secx = Srcx & ©xffffffff 
set Sex = Srcx & 0xffff 
set Scl = Sex & 0xff 
set Sch = Sex » 8 

# from rdx 

set Sedx = Srdx & ©xffffffff 
set Sdx = Srdx & ©xffff 
set Sdl = Sdx & ©xff 
set Sdh = Sdx » 8 

# from rsi 

set Sesi = Srsi & ©xffffffff 
set Ssi = Srsi & ©xffff 

# from rdi 



set $edi = $rdi & Oxffffffff 
set $di = $rdi & Oxffff 
#32 bits stuff 
else 

# from eax 

set Sax = Seax & Oxffff 
set Sal = Sax & Oxff 
set Sah = Sax » 8 

# from ebx 

set Sbx = Sebx & Oxffff 
set $bl = Sbx & Oxff 
set Sbh = Sbx » 8 

# from ecx 

set Sex = Secx & Oxffff 
set Scl = Sex & Oxff 
set Sch = Sex » 8 

# from edx 

set Sdx = Sedx & Oxffff 
set Sdl = Sdx & Oxff 
set Sdh = Sdx » 8 

# from esi 

set Ssi = Sesi & Oxffff 

# from edi 

set Sdi = Sedi & Oxffff 
end 
end 

document smallregisters 
Syntax: smallregisters 

| Create the 16 and 8 bit epu registers (gdb doesn't have them by default). 

j And 32bits if we are dealing with 64bits binaries. 

end 


define func 

if Sargc == 0 

info functions 
end 

if Sargc == 1 

info functions SargO 
end 

if Sargc > 1 
help func 
end 


end 

document func 
Syntax: func <REGEXP> 

| Print all function names in target, or those matching REGEXP, 
end 


define var 
if Sargc 
info 
end 

if Sargc 
info 
end 

if Sargc 
help 


== 0 

variables 
== 1 

variables SargO 

> 1 
var 



end 


end 

document var 
Syntax: var <REGEXP> 

| Print all global and static variable names (symbols), or those matching REGEXP, 
end 


define lib 

info sharedlibrary 
end 

document lib 
Syntax: lib 

| Print shared libraries linked to target, 
end 


define sig 

if Sargc == 0 
info signals 
end 

if $argc == 1 

info signals $arg0 
end 

if Sargc > 1 
help sig 
end 


end 

document sig 
Syntax: sig <SIGNAL> 

| Print what debugger does when program 
j Specify a SIGNAL as argument to print 
end 


gets various 
info on that 


signals . 
signal only. 


define threads 
info threads 
end 

document threads 
Syntax: threads 
| Print threads in target, 
end 


define dis 

if Sargc == 0 
disassemble 
end 

if Sargc == 1 
disassemble 
end 

if Sargc == 2 
disassemble 
end 

if Sargc > 2 
help dis 
end 
end 

document dis 


$arg0 


SargO Sargl 



Syntax: dis <ADDR1> <ADDR2> 

| Disassemble a specified section of memory. 

j Default is to disassemble the function surrounding the PC (program counter) of 
selected frame. 

| With one argument, ADDR1, the function surrounding this address is dumped. 

j Two arguments are taken as a range of memory to dump. 

end 


# hex/ascii dump an address 

define ascii_char 
if Sargc != 1 

help ascii_char 

else 

# thanks elaine : ) 
set $_c = ‘(unsigned char *)($arg0) 
if ($_c < 0x20 || $_c > 0x7E) 
printf 

else 

printf "»c", $_c 
end 
end 
end 

document ascii_char 
Syntax: ascii_char ADDR 

| Print ASCII value of byte at address ADDR. 
j Print if the value is unprintable, 
end 


define hex_quad 
if Sargc != 1 

help hex_quad 

else 

printf "%02X %02X %02X %02X %02X %02X %02X %02X", \ 

‘(unsigned char* ) ($arg0) , ‘(unsigned char*)($arg0 + 1), \ 

‘(unsigned char*)($arg0 + 2), ‘(unsigned char*)($arg0 + 3), \ 

‘(unsigned char*)($arg0 + 4), ‘(unsigned char*)($arg0 + 5), \ 

‘(unsigned char*)($arg0 + 6), ‘(unsigned char*)($arg0 + 7) 

end 
end 

document hex_quad 
Syntax: hex_quad ADDR 

| Print eight hexadecimal bytes starting at address ADDR. 
end 


define hexdump 
if Sargc == 1 

hexdump_aux $arg0 
else 

if Sargc == 2 

set $_count = 0 
while ($_count < Sargl) 

set $_i = ($_count * 0x10) 
hexdump_aux $arg0+$_i 
set $_count++ 
end 


else 



end 


help hexdump 


end 

end 

document hexdump 

Syntax: hexdump ADDR <NR_LINES> 

| Display a 16-byte hex/ASCII dump of memory starting at address ADDR. 
j Optional parameter is the number of lines to display if you want more than one. 
end 


define hexdump_aux 
if Sargc != 1 

help hexdump_aux 

else 

color_bold 

if ($64BITS == 1) 

printf "0x%0161X : 

else 


printf "0x%08X : 
end 

color_reset 
hex_quad $arg0 
color_bold 
printf " - " 
color_reset 
hex_quad $arg0+8 
printf " " 


color_bold 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

ascii_char 

color_reset 


$arg0+0x0 

$arg0+0xl 

$arg0+0x2 

$arg0+0x3 

$arg0+0x4 

$arg0+0x5 

$arg0+0x6 

$arg0+0x7 

$arg0+0x8 

$arg0+0x9 

$arg0+0xA 

$arg0+0xB 

$arg0+0xC 

$arg0+0xD 

$arg0+0xE 

$arg0+0xF 


printf "\n" 
end 


", $arg0 
$arg0 


end 

document hexdump_aux 
Syntax: hexdump_aux ADDR 

| Display a 16-byte hex/ASCII dump of memory at address ADDR. 
end 


# data window. 

define ddump 

if Sargc ■$# 1 
help ddump 



else 

color $COLOR_SEPARATOR 
if $ARM == 1 

printf " [0x%08X] " , $data_addr 

else 

if (S64BITS == 1) 

printf " [0x%04X:0x%0161X] ", $ds, $data_addr 

else 

printf " [0x%04X:0x%08X] ", $ds, $data_addr 
end 
end 

color $COLOR_SEPARATOR 

printf " " 

printf " " 

if (S64BITS == 1) 

printf " " 

end 

color_bold 

color $COLOR_SEPARATOR 
printf "[data]\n" 
color_reset 
set $_count = 0 
while ($_count < $arg0) 

set $_i = ($_count * 0x10) 
hexdump $data_addr+$_i 
set $_count++ 
end 
end 
end 

document ddump 
Syntax: ddump NUM 

| Display NUM lines of hexdump for address in $data_addr global variable, 
end 


define dd 

if $argc != 1 
help dd 

else 

set $data_addr = $arg0 
ddump 0x10 
end 


end 

document dd 
Syntax: dd ADDR 

| Display 16 lines of a hex dump of address starting at ADDR. 
end 


define datawin 
if $ARM == 1 

if ( ( ($r0 » 0x18) == 0x40) || ( ($r0 » 0x18) == 0x08) || (($r0 » 0x18) 

0xBF ) ) 

set $data_addr = $r0 

else 

if ( ( ($rl » 0x18) == 0x40) || ( ($rl » 0x18) == 0x08) || (($rl » 
0x18) == 0xBF ) ) 


set $data_addr = $rl 



else 

if ( ( ($r2 » 0x18) == 0x40) || ( ($r2 » 0x18) == 0x08) || (($r2 » 

0x18) == 0xBF ) ) 

set $data_addr = $r2 

else 

set $data_addr = $sp 
end 
end 
end 

################################# X86 
else 

if (S64BITS == 1) 

if ((($rsi » 0x18) == 0x40) || (($rsi » 0x18) == 0x08) || (($rsi » 
0x18) == 0xBF ) ) 

set $data_addr = $rsi 

else 

if ( ( ($rdi » 0x18) == 0x40) || (($rdi » 0x18) == 0x08) || (($rdi 
» 0x18) == 0xBF ) ) 

set $data_addr = $rdi 

else 

if ( ( ($rax » 0x18) == 0x40) || (($rax » 0x18) == 0x08) || 

( ($rax » 0x18) == 0xBF ) ) 

set $data_addr = $rax 

else 

set $data_addr = $rsp 
end 
end 
end 

else 

if ( ( ($esi » 0x18) == 0x40) || ( ($esi » 0x18) == 0x08) || (($esi » 
0x18) == 0xBF ) ) 

set $data_addr = $esi 

else 

if ( ( ($edi » 0x18) == 0x40) || (($edi » 0x18) == 0x08) || (($edi 
» 0x18) == 0xBF ) ) 

set $data_addr = $edi 

else 

if ((($eax » 0x18) == 0x40) || (($eax » 0x18) == 0x08) || 

( ($eax » 0x18) == 0xBF ) ) 

set $data_addr = $eax 

else 

set $data_addr = $esp 
end 
end 
end 
end 
end 

ddump $CONTEXTSIZE_DATA 
end 

document datawin 
Syntax: datawin 

| Display valid address from one register in data window. 

j Registers to choose are: esi, edi, eax, or esp. 

end 


################################ 
##### ALERT ALERT ALERT ######## 
################################ 



# Huge mess going here : ) HAHA # 

################################ 
define dump jump 
if $ARM == 1 

## Most ARM and Thumb instructions are conditional! 

# each instruction is 32 bits long 

# 4 bits are for condition codes (16 in total) (bits 31:28 in ARM contain 
the condition or 1111 if instruction is unconditional) 

# 2x4 bits for destination and first operand registers 

# one for the set-status flag 

# an assorted number for other stuff 

# 12 bits for any immediate value 

# $_t_flag == 0 => ARM mode 

# $_t_flag == 1 => Thumb or ThumbEE 

# State bit (T), bit 5 
if (($cpsr » 5) & 1) 

set $_t_flag = 1 

else 

set $_t_flag = 0 
end 

if $_t_flag == 0 

set $_lastbyte = * (unsigned char *)($pc+3) 

#set $_bit3l = ($_lastbyte » 7) & 1 
#set $_bit30 = ($_lastbyte » 6) & 1 
#set $_bit29 = ($_lastbyte » 5) & 1 
#set $_bit28 = ($_lastbyte » 4) & 1 
set $_conditional = $_lastbyte » 4 
dumpjumphelper 

else 

# if bits 15-12 (opcode in Thumb instructions) are equal to 1 1 0 1 
(0xD) then we have a conditional branch 

# bits 11-8 for the conditional execution code (check ARMv7 manual 

A8.3) 

if ( (* (unsigned char *)($pc+l) » 4) == 0xD ) 

set $_conditional = * (unsigned char *)($pc+l) A 0xD0 
dumpjumphelper 
end 
end 

##################### X86 
else 

## grab the first two bytes from the instruction so we can determine the 
jump instruction 

set $_bytel = ‘(unsigned char *)$pc 
set $_byte2 = ‘(unsigned char *)($pc+l) 

## and now check what kind of jump we have (in case it ' s a jump 
instruction) 

## I changed the flags routine to save the flag into a variable, so we 
don't need to repeat the process :) (search for "define flags") 

## opcode 0x77: JA, JNBE (jump if CF=0 and ZF=0) 

## opcode 0X0F87 : JNBE, JA 

if ( ($_bytel == 0x77) | | ($_bytel == 0x0F && $_byte2 == 0x87) ) 

# cf=0 and zf=0 

if ($_cf_flag == 0 && $_zf_flag == 0) 
color $RED 

printf " Jump is taken (c=0 and z=0)" 

else 

# cf ! = 0 or zf ! = 0 



color $RED 

printf " Jump is NOT taken (c!=Q or z!=Q)" 
end 
end 

## opcode 0x73: JAE, JNB, JNC (jump if CF=0) 

## opcode 0X0F83 : JNC, JNB, JAE (jump if CF=0) 

if ( ($_bytel == 0x73) | | ($_bytel == 0x0F && $_byte2 == 0x83) ) 

# cf =0 

if ($_cf_flag == 0) 
color $RED 

printf " Jump is taken (c=0)" 

else 

# cf ! = 0 
color $RED 

printf " Jump is NOT taken ( c ! =0 ) " 
end 
end 

## opcode 0x72: JB, JC, JNAE (jump if CF=1) 

## opcode 0X0F82 : JNAE, JB, JC 

if ( ($_bytel == 0x72) | | ($_bytel == 0x0F && $_byte2 == 0x82) ) 

# cf=l 

if ($_cf_flag == 1) 
color $RED 

printf " Jump is taken (c=l)" 

else 

# cf ! = 1 
color $RED 

printf " Jump is NOT taken (c!=l)" 
end 
end 

## opcode 0x76: JBE, JNA (jump if CF=1 or ZF=1) 

## opcode 0X0F86 : JBE, JNA 

if ( ($_bytel == 0x76) | | ($_bytel == 0x0F && $_byte2 == 0x86) ) 

# cf=l or zf=l 

if ( ($_cf_flag == 1) || ($_zf_flag == 1)) 
color $RED 

printf " Jump is taken (c=l or z=l)" 

else 

# cf != 1 or zf ! = 1 
color $RED 

printf " Jump is NOT taken (c!=l or z!=l)" 
end 
end 

## opcode 0xE3 : JCXZ, JECXZ, JRCXZ (jump if CX=0 or ECX=0 or RCX=0) 
if ($_bytel == 0xE3) 

# cx=0 or ecx=0 

if (($ecx == 0) || ($cx == 0)) 
color $RED 

printf " Jump is taken (cx=0 or ecx=0)" 

else 

color $RED 

printf " Jump is NOT taken (cx!=0 or ecx!=0)" 
end 
end 

## opcode 0x74: JE, JZ (jump if ZF=1) 

## opcode 0X0F84 : JZ, JE, JZ (jump if ZF=1) 

if ( ($_bytel == 0x74) | | ($_bytel == 0x0F && $_byte2 == 0x84) ) 

# ZF = 1 

if ($_zf_flag == 1) 



color $RED 

printf " Jump is taken (z=l)" 

else 


# ZF = 0 
color $RED 

printf " Jump is NOT taken (z!=l)" 
end 
end 

## opcode 0x7F : JG, JNLE (jump if ZF=0 and SF=OF) 

## opcode 0X0F8F : JNLE, JG (jump if ZF=0 and SF=OF) 

if ( ($_bytel == 0x7F) | | ($_bytel == 0x0F && $_byte2 == 0x8F) ) 

# zf = 0 and sf = of 

if (($_zf_flag == 0) && ($_sf_flag == $_of_flag)) 
color $RED 

printf " Jump is taken (z=0 and s=o)" 

else 

color $RED 

printf " Jump is NOT taken (z!=0 or s!=o)" 
end 
end 

## opcode 0x7D : JGE, JNL (jump if SF=OF) 

## opcode 0X0F8D : JNL, JGE (jump if SF=OF) 

if ( ($_bytel == 0x7D) | | ($_bytel == 0x0F && $_byte2 == 0x8D) ) 

# sf = of 

if ($_sf_flag == $_of_flag) 
color $RED 

printf " Jump is taken (s=o)" 

else 

color $RED 

printf " Jump is NOT taken (s!=o)" 
end 
end 

## opcode: 0x7C: JL, JNGE (jump if SF != OF) 

## opcode: 0X0F8C: JNGE, JL (jump if SF != OF) 

if ( ($_bytel == 0x7C) | | ($_bytel == 0x0F && $_byte2 == 0x8C) ) 

# sf != of 

if ($_sf_flag ! = $_of_flag) 
color $RED 

printf " Jump is taken (s!=o)" 

else 

color $RED 

printf " Jump is NOT taken (s=o)" 
end 
end 

## opcode 0x7E : JLE, JNG (jump if ZF = 1 or SF != OF) 

## opcode 0X0F8E : JNG, JLE (jump if ZF = 1 or SF != OF) 

if ( ($_bytel == 0x7E) | | ($_bytel == 0x0F && $_byte2 == 0x8E) ) 

# zf = 1 or sf != of 

if (($_zf_flag == 1) || ($_sf_flag != $_of_flag)) 
color $RED 

printf " Jump is taken (zf=l or sf !=of)" 

else 

color $RED 

printf " Jump is NOT taken (zf!=l or sf=of)" 
end 
end 

## opcode 0x75: JNE, JNZ (jump if ZF = 0) 

## opcode 0X0F85 : JNE, JNZ (jump if ZF = 0) 

if ( ($_bytel == 0x75) | | ($_bytel == 0x0F && $_byte2 == 0x85) ) 



# ZF = 0 

if ($_zf_flag == 0) 
color $RED 

printf " Jump is taken (z=0)" 

else 

# ZF = 1 

color $RED 

printf " Jump is NOT taken (z!=0)" 
end 
end 

## opcode 0x71: JNO (OF = 0) 

## opcode 0X0F81 : JNO (OF = 0) 

if ( ($_bytel == 0x71) | | ($_bytel == 0x0F && $_byte2 == 0x81) ) 

# OF = 0 

if ($_of_flag == 0) 
color $RED 

printf " Jump is taken (o=0)" 

else 

# OF != 0 
color $RED 

printf " Jump is NOT taken (o!=0)" 
end 
end 

## opcode 0x7B : JNP, JPO (jump if PF = 0) 

## opcode 0X0F8B : JPO (jump if PF = 0) 

if ( ($_bytel == 0x7B) | | ($_bytel == 0x0F && $_byte2 == 0x8B) ) 

# PF = 0 

if ($_pf_flag == 0) 
color $RED 

printf " Jump is NOT taken (p=0)" 

else 

# PF ! = 0 
color $RED 

printf " Jump is taken (p!=0)" 
end 
end 

## opcode 0x79: JNS (jump if SF = 0) 

## opcode 0X0F89 : JNS (jump if SF = 0) 

if ( ($_bytel == 0x79) | | ($_bytel == 0x0F && $_byte2 == 0x89) ) 

# SF = 0 

if ($_sf_flag == 0) 
color $RED 

printf " Jump is taken (s=0)" 

else 

# SF ! = 0 
color $RED 

printf " Jump is NOT taken (s!=0)" 
end 
end 

## opcode 0x70: JO (jump if OF=l) 

## opcode 0X0F80 : JO (jump if OF=l) 

if ( ($_bytel == 0x70) | | ($_bytel == 0x0F && $_byte2 == 0x80) ) 

# OF = 1 

if ($_of_flag == 1) 
color $RED 

printf " Jump is taken (o=l)" 

else 


# OF !=. 1 
color $RED 



end 


printf " Jump is NOT taken (o!=l)" 


end 

## opcode 0x7A: JP, JPE (jump if PF=1) 

## opcode 0X0F8A: JP, JPE (jump if PF=1) 

if ( ($_bytel == 0x7A) | | ($_bytel == 0x0F && $_byte2 == 0x8A) ) 
# PF = 1 

if ($_pf_flag == 1) 
color $RED 

printf " Jump is taken (p=l)" 

else 

# PF = 0 
color $RED 

printf " Jump is NOT taken (p!=l)" 
end 
end 

## opcode 0x78: JS (jump if SF=1) 

## opcode 0X0F88 : JS (jump if SF=1) 

if ( ($_bytel == 0x78) | | ($_bytel == 0x0F && $_byte2 == 0x88) ) 
# SF = 1 

if ($_sf_flag == 1) 
color $RED 

printf " Jump is taken (s=l)" 

else 

# SF ! = 1 
color $RED 

printf " Jump is NOT taken ( s ! =1 ) " 
end 
end 
end 
end 

document dumpjump 
Syntax: dumpjump 

| Display if conditional jump will be taken or not. 
end 

define dumpjumphelper 

# 0000 - EQ: Z == 1 

if ($_conditional == 0x0) 
if ($_z_flag == 1) 
color $RED 

printf " Jump is taken (z==l)" 

else 

color $RED 

printf " Jump is NOT taken (z!=l)" 
end 
end 

# 0001 - NE: Z == 0 

if ($_conditional == 0x1) 
if ($_z_flag == 0) 
color $RED 

printf " Jump is taken (z==0)" 
else 

color $RED 

printf " Jump is NOT taken (z!=0)" 
end 
end 

# 0010 - CS: C == 1 

if ($_conditional == 0x2) 



if ($_c_flag == 1) 
color $RED 

printf " Jump is taken (c==l)" 
else 

color $RED 

printf " Jump is NOT taken (c!=l)" 
end 
end 

# 0011 - CC: C == 0 

if ($_conditional == 0x3) 
if ($_c_flag == 0) 
color $RED 

printf " Jump is taken (c==0)" 
else 

color $RED 

printf " Jump is NOT taken (c!=0)" 
end 
end 

# 0100 - MI: N == 1 

if ($_conditional == 0x4) 
if ($_n_flag == 1) 
color $RED 

printf " Jump is taken (n==l)" 

else 

color $RED 

printf " Jump is NOT taken (n!=l)" 
end 
end 

# 0101 - PL: N == 0 

if ($_conditional == 0x5) 
if ($_n_flag == 0) 
color $RED 

printf " Jump is taken (n==0)" 
else 

color $RED 

printf " Jump is NOT taken (n!=0)" 
end 
end 

# 0110 - VS: V == 1 

if ($_conditional == 0x6) 
if ($_v_flag == 1) 
color $RED 

printf " Jump is taken (v==l)" 
else 

color $RED 

printf " Jump is NOT taken (v!=l)" 
end 
end 

# 0111 - VC: V == 0 

if ($_conditional == 0x7) 
if ($_v_flag == 0) 
color $RED 

printf " Jump is taken (v==0)" 

else 

color $RED 

printf " Jump is NOT taken (v!=0)" 
end 
end 

# 1000 - HI: C == 1 and Z == 0 



if ($_conditional == 0x8) 

if ($_c_flag == 1 && $_z_flag == 0) 
color $RED 

printf " Jump is taken (c==l and z==0)" 

else 

color $RED 

printf " Jump is NOT taken (c!=l or z!=0)" 
end 
end 

# 1001 - LS: C == 0 or Z == 1 
if ($_conditional == 0x9) 

if ($_c_flag == 0 | | $_z_flag == 1) 
color $RED 

printf " Jump is taken (c==0 or z==l)" 
else 

color $RED 

printf " Jump is NOT taken (c!=0 or z!=l)" 
end 
end 

# 1010 - GE: N == V 

if ($_conditional == 0xA) 

if ($_n_flag == $_v_flag) 
color $RED 

printf " Jump is taken (n==v)" 

else 

color $RED 

printf " Jump is NOT taken (n!=v)" 
end 
end 

# 1011 - LT: N != V 

if ($_conditional == 0xB) 

if ($_n_flag != $_v_flag) 
color $RED 

printf " Jump is taken (n!=v)" 
else 

color $RED 

printf " Jump is NOT taken (n==v)" 
end 
end 

# 1100 - GT: Z == 0 and N == V 
if ($_conditional == 0xC) 

if ($_z_flag == 0 && $_n_flag == $_v_flag) 
color $RED 

printf " Jump is taken (z==0 and n==v)" 
else 

color $RED 

printf " Jump is NOT taken (z!=0 or n!=v)" 
end 
end 

# 1101 - LE : Z == 1 or N != V 
if ($_conditional == 0xD) 

if ($_z_flag == 1 | | $_n_flag != $_v_flag) 
color $RED 

printf " Jump is taken (z==l or n!=v)" 
else 

color $RED 

printf " Jump is NOT taken (z!=l or n==v)" 
end 


end 



end 

document dumpjumphelper 
Syntax: dumpjumphelper 

| Helper function to decide if conditional jump will be taken or not, for ARM and 

Thumb . 

end 


# process context 

# initialize variable 

set Sdisplayobjectivec = 0 

define context 

color $COLOR_SEPARATOR 
if SSHOWCPUREGISTERS == 1 

printf " " 

printf " " 

if (S64BITS == 1) 

printf " 

end 

color $COLOR_SEPARATOR 

color_bold 

printf "[regs]\n" 

color_reset 

reg 

color SCYAN 
end 

if SSHOWSTACK == 1 

color $COLOR_SEPARATOR 
if $ARM == 1 
printf " [0x%08X] " , $sp 
else 

if ($64BITS == 1) 

printf "[0x%04X:0x%0161X]", $ss, $rsp 

else 

printf " [0x%04X: 0x%08X] ", $ss, $esp 
end 
end 

color $COLOR_SEPARATOR 

printf " " 

printf " " 

if (S64BITS == 1) 

printf " " 

end 

color $COLOR_SEPARATOR 
color_bold 
printf "[stack]\n" 
color_reset 

set $context_i = $CONTEXTSIZE_STACK 
while ($context_i > 0) 

set $context_t = $sp + 0x10 * ($context_i - 1) 
hexdump $context_t 
set $context_i-- 
end 
end 

# show the objective C message being passed to msgSend 
if SSHOWOB J ECTIVEC == 1 
#FIXME : X64 and ARM 

# What a piece of crap that's going on here :) 



# detect if it's the correct opcode we are searching for 
if $ARM == 0 

set $ bytel = ‘(unsigned char *)$pc 

set $ byte = *(int *)$pc 

if ($ byte == 0x4244489) 

set $objectivec = Seax 
set $displayobjectivec = l 
end 

if ($ byte == 0x4245489) 

set $objectivec = Sedx 
set $displayobjectivec = 1 
end 

if ($ byte == 0x4244c89) 

set $objectivec = Secx 
set $displayobjectivec = 1 
end 

else 

set $ bytel = 0 

end 

# and now display it or not (we have no interest in having the info 
displayed after the call) 

if $ bytel == 0xE8 

if Sdisplayobjectivec == 1 
color $COLOR_SEPARATOR 
printf 


if (S64BITS == 1) 

printf " 

end 

color $COLOR_SEPARATOR 
color_bold 

printf " [ObjectiveC]\n" 

color_reset 

color $BLACK 

x/s $objectivec 
end 

set Sdisplayobjectivec = 0 
end 

if Sdisplayobjectivec == 1 
color $COLOR_SEPARATOR 
printf 


if (S64BITS == 1) 

printf " 

end 

color $COLOR_SEPARATOR 
color_bold 

printf " [ObjectiveC]\n" 
color_reset 
color SBLACK 
x/s Sobjectivec 
end 
end 

color_reset 

# and this is the end of this little crap 


if SSHOWDATAWIN == 1 



datawin 


end 

color $COLOR_SEPARATOR 
printf 


if (S64BITS == 1) 

printf " 

end 

color $COLOR_SEPARATOR 
color_bold 
printf "[code]\n" 
color_reset 

set $context_i = $CONTEXTSIZE_CODE 
if ($context_i > 0) 

if ($SETCOLORlSTLINE == 1) 
color SGREEN 
if ($ARM == 1) 

# | $cpsr.t (Thumb flag) 

x/i (unsigned int)$pc | (($cpsr » 5) & 1) 

else 
x/i $pc 
end 

color_reset 

else 

if ($ARM == 1) 

# | Scpsr.t (Thumb flag) 

x/i (unsigned int)$pc | (($cpsr » 5) & 1) 

else 

x/i $pc 
end 
end 

set $context_i-- 
end 

while ($context_i > 0) 
x /i 

set $context_i-- 
end 

color $COLOR_SEPARATOR 


printf " " 

printf " " 

if ($64BITS == 1) 

printf " \n" 

else 


printf "\n" 
end 

color_reset 

end 

document context 
Syntax: context 

| Print context window, i.e. regs, stack, ds:esi and disassemble cs:eip. 
end 


define context-on 

set $SHOW_CONTEXT = 1 

printf "Displaying of context is now ON\n" 
end 

document context-on 



Syntax: context-on 

| Enable display of context on every program break, 
end 


define context-off 

set $S H OW_CO N T EXT = 0 

printf "Displaying of context is now OFF\n" 
end 

document context-off 
Syntax: context-off 

| Disable display of context on every program break, 
end 


# process control 

define n 

if $argc == 0 
nexti 
end 

if $argc == 1 
nexti $arg0 
end 

if $argc > 1 
help n 
end 
end 

document n 
Syntax: n <NUM> 

| Step one instruction, but proceed through subroutine calls, 
j If NUM is given, then repeat it NUM times or till program stops 
j This is alias for nexti. 
end 


define go 

if $argc == 0 
stepi 
end 

if $argc == 1 
stepi $arg0 
end 

if $argc > 1 
help go 
end 


end 

document go 
Syntax: go <NUM> 

| Step one instruction exactly. 

j If NUM is given, then repeat it NUM times or till program stops 

j This is alias for stepi. 

end 


define pret 
finish 
end 

document pret 
Syntax: pret 



| Execute until selected stack frame returns (step out of current call), 
j Upon return, the value returned is printed and put in the value history, 
end 


define init 

set $SHOW_NEST_INSN = 0 
tbreak _init 
r 

end 

document init 
Syntax: init 

| Run program and break on _init(). 
end 


define start 

set $SHOW_NEST_INSN = 0 
tbreak _start 
r 

end 

document start 
Syntax: start 

| Run program and break on _start(). 
end 


define sstart 

set $SHOW_NEST_INSN = 0 

tbreak libc_start_main 

r 

end 

document sstart 
Syntax: sstart 

| Run program and break on libc_start_main( ) . 

j Useful for stripped executables, 
end 


define main 

set $SHOW_NEST_INSN = 0 
tbreak main 
r 

end 

document main 
Syntax: main 

| Run program and break on main(). 
end 


# FIXME64 

#### WARNING J WARNING ! ! 

#### More more messy stuff starting ! ! ! 

#### I was thinking about how to do this and then it ocurred me that it could be as 
simple as this ! : ) 
define stepof ramework 
if $ARM == 1 

# bl and bx opcodes 

# bx Rn => ARM bits 27-20: 00010010, bits 7-4: 0001; Thumb 



bits: 15-7: 010001110 

# blx Rn => ARM bits 27-20: 00010010, bits 7-4: 0011; Thumb 
bits: 15-7: 010001111 

# bl # => ARM bits 27-24: 1011; Thumb bits: 15-11: 11110 

# blx # => ARM bits 31-25: 1111101; Thumb bits: 15-11: 11110 
set $_nextaddress = 0 

# ARM Mode 

if ($_t_flag == 0) 

set $_branchesint = * (unsigned int*)$pc 
set $_bit31 = ($_branchesint » 0xlF) & 1 

set $_bit30 = ($_branchesint » 0xlE) & 1 

set $_bit29 = ($_branchesint » 0xlD) & 1 

set $_bit28 = ($_branchesint » 0xlC) & 1 

set $_bit27 = ($_branchesint » 0xlB) & 1 

set $_bit26 = ($_branchesint » 0xlA) & 1 

set $_bit25 = ($_branchesint » 0x19) & 1 

set $_bit24 = ($_branchesint » 0x18) & 1 

set $_bit23 = ($_branchesint » 0x17) & 1 

set $_bit22 = ($_branchesint » 0x16) & 1 

set $_bit21 = ($_branchesint » 0x15) & 1 

set $_bit20 = ($_branchesint » 0x14) & 1 

set $_bit7 = ($_branchesint » 0x7) & 1 

set $_bit6 = ($_branchesint » 0x6) & 1 

set $_bit5 = ($_branchesint » 0x5) & 1 

set $_bit4 = ($_branchesint » 0x4) & 1 

# set $_lastbyte = * (unsigned char *)($pc+3) 

# set $_bits2724 = $_lastbyte & 0x1 

# set $_bits3l28 = $_lastbyte » 4 

# if ($_bits3128 == 0xF) 

# set $_bits2724 = $_lastbyte & 0xA 

# set $_bits2724 = $_bits2724 » 1 

# end 

# set $_previousbyte = *(unsigned char *)($pc+2) 

# set $_bits2320 = $_previousbyte » 4 

# printf "bits2724 : %x bits2320: %x\n", $_bits2724, $_bits2320 

if ($_bit27 == 0 && $_bit26 == 0 && $_bit25 == 0 && $_bit24 == 1 && 

$_bit23 == 0 && $_bit22 == 0 && $_bit2l == 1 && $_bit20 == 0 && $_bit7 == 0 && 

$_bit6 == 0 && $_bit5 == 0 && $_bit4 == 1) 

printf "Found a bx Rn\n" 
set $_nextaddress = $pc+0x4 
end 

if ($_bit27 == 0 && $_bit26 == 0 && $_bit25 == 0 && $_bit24 == 1 && 

$_bit23 == 0 && $_bit22 == 0 && $_bit2l == 1 && $_bit20 == 0 && $_bit7 == 0 && 

$_bit6 == 0 && $_bit5 == 1 && $_bit4 == 1) 

printf "Found a blx Rn\n" 
set $_nextaddress = $pc+0x4 
end 

if ($_bit27 == l && $_bit26 == 0 && $_bit25 == 1 && $_bit24 == 1) 
printf "Found a bl #\n" 
set $_nextaddress = $pc+0x4 
end 

if ($_bit3l == 1 && $_bit30 == 1 && $_bit29 == 1 && $_bit28 == 1 && 

$_bit27 == 1 && $_bit26 == 0 && $_bit25 == 1) 

printf "Found a blx #\n" 
set $_nextaddress = $pc+0x4 


end 



# Thumb Mode 
else 

# 32 bits instructions in Thumb are divided into two half words 
set $_hwl = * (unsigned short*) ($pc) 
set $_hw2 = * (unsigned short*) ($pc+2) 


) 


# bl/blx (immediate) 

# hwl : bits 15-11: 11110 

# hw2 : bits 15-14: 1 1 ; BL bit 12 : 1 ; BLX bit 12: 0 

if ( ($_hwl » 0xC) == 0xF && ( ($_hwl » 0xB) & 1) == 0) 

if ( ( ( ($_hw2 » 0xF) & 1) == 1) && ( ( ($_hw2 » 0xE) & 1) == 1) 

set $_nextaddress = $pc+0x4 
end 
end 


end 

# if we have found a call to bypass we set a temporary breakpoint on next 
instruction and continue 

if ($_nextaddress != 0) 
tbreak *$_nextaddress 
continue 

printf "[StepO] Next address will be %x\n", $_nextaddress 

# else we just single step 
else 


nexti 

end 

###################################### X86 
else 


## we know that an opcode starting by 0xE8 has a fixed length 
## for the 0xFF opcodes, we can enumerate what is possible to have 

# first we grab the first 3 bytes from the current program counter 
set $_bytel = * (unsigned char *)$pc 

set $_byte2 = ‘(unsigned char *)($pc+l) 
set $_byte3 = ‘(unsigned char *)($pc+2) 

# and start the fun 

# if it's a 0xE8 opcode, the total instruction size will be 5 bytes 

# so we can simply calculate the next address and use a temporary 
breakpoint f Voila : ) 

set $_nextaddress = 0 

# this one is the must useful for us ! ! ! 
if ($_bytel == 0xE8) 

set $_nextaddress = $pc + 0x5 

else 


# just other cases we might be interested in... maybe this should be 
removed since the 0xE8 opcode is the one we will use more 

# this is a big fucking mess and can be improved for sure :) I don't 
like the way it is ehehehe 

if ($_bytel == 0xFF) 

# call *%eax (0xFFD0) || call *%edx (0xFFD2) || call *(%ecx) 
(0xFFDl) | | call (%eax) (0xFFl0) | | call *%esi (0xFFD6) | | call *%ebx (0xFFD3) | | 
call DWORD PTR [edx] (0XFF12) 

if ($_byte2 == 0xD0 | | $_byte2 == 0xDl | | $_byte2 == 0xD2 | | 

$_byte2 == 0xD3 | | $_byte2 == 0xD6 | | $_byte2 == 0x10 | j $_byte2 == 0x11 | | $_byte2 
== 0xD7 | | $_byte2 == 0x12) 

set $_nextaddress = $pc + 0x2 

end 

# call *0x??(%ebp) (0xFF55??) | | call *0x??(%esi) (0xFF56??) | | 
call *0x??(%edi) (0xFF5F??) | | call *0x??(%ebx) 

# call *0x??(%edx) (0xFF52??) | | call *0x??(%ecx) (0xFF5l??) | | 



call *0x??(%edi) (0xFF57??) | | call *0x??(%eax) (0xFF50??) 

if ($_byte2 == 0x55 | | $_byte2 == 0x56 | | $_byte2 == 0x5F | | 

$_byte2 == 0x53 | | $_byte2 == 0x52 | | $_byte2 == 0x51 | | $_byte2 == 0x57 | | $_byte2 
== 0x50) 

set $_nextaddress = $pc + 0x3 
end 

# call *0x????????(%ebx) (0xFF93????????) | | 

if ($_byte2 == 0x93 | | $_byte2 == 0x94 | | $_byte2 == 0x90 | | 

$_byte2 == 0x92 | | $_byte2 == 0x95 | | $_byte2 == 0x15) 
set $_nextaddress = $pc + 6 
end 

# call * 0x???????? ( %ebx , %eax , 4 ) (0xFF94??????????) 
if ($_byte2 == 0x94) 

set $_nextaddress = $pc + 7 
end 
end 

# FIXME : still missing a few? 

if ($_bytel == 0x41 | | $_bytel == 0x40) 
if ($_byte2 == 0xFF) 

if ($_byte3 == 0xD0 | | $_byte3 == 0xDl | | $_byte3 == 0xD2 | | 
$_byte3 == 0xD3 | | $_byte3 == 0xD4 | | $_byte3 == 0xD5 | | $_byte3 == 0xD6 | | 

$_byte3 == 0xD7 ) 

set $_nextaddress = $pc + 0x3 
end 
end 
end 
end 

# if we have found a call to bypass we set a temporary breakpoint on next 
instruction and continue 

if ($_nextaddress != 0) 
if ($arg0 == 1) 

thbreak *$_nextaddress 

else 

tbreak *$_nextaddress 
end 

continue 

# else we just single step 
else 

nexti 

end 

end 

end 

document stepof ramework 
Syntax: stepof ramework 
| Auxiliary function to stepo command, 
end 

define stepo 

stepof ramework 0 
end 

document stepo 
Syntax: stepo 

| Step over calls (interesting to bypass the ones to msgSend). 

j This function will set a temporary breakpoint on next instruction after the call 
so the call will be bypassed. 

| You can safely use it instead nexti or n since it will single step code if it's 

not a call instruction (unless you want to go into the call function). 

end 



define stepoh 

stepof ramework 1 
end 

document stepoh 
Syntax: stepoh 

| Same as stepo command but uses temporary hardware breakpoints, 
end 


# FIXME : ARM 
define skip 

x/2i $pc 

set $instruction_size = (int)($_ - $pc) 
set $pc = $pc + $instruction_size 
if (SSKIPEXECUTE == 1) 

if (SSKIPSTEP == 1) 
stepo 

else 

stepi 

end 

else 

context 

end 

end 

document skip 
Syntax: skip 

| Skip over the instruction located at EIP/RIP. By default, the instruction will 
not be executed! 

| Some configurable options are available on top of gdbinit to override this, 
end 


# eflags commands 

# conditional flags are 

# negative/less than (N), bit 31 of CPSR 

# zero (Z), bit 30 

# Carry/Borrow/Extend (C), bit 29 

# Overflow (V), bit 28 

# negative/less than (N), bit 31 of CPSR 
define cfn 

if $ARM == 1 

set Stempflag = $cpsr->n 
if (Stempflag & 1) 

set $cpsr->n = $tempflag&~0xl 

else 

set $cpsr->n = Stempflag | 0x1 
end 
end 
end 

document cfn 
Syntax: cfn 

| Change Negative/Less Than Flag, 
end 


define cfc 

# Carry/Borrow/Extend (C), bit 29 



if $ARM == 1 

set Stempflag = $cpsr->c 
if (Stempflag & 1) 

set $cpsr->c = $tempflag&~0xl 

else 

set $cpsr->c = Stempflag | 0x1 
end 
else 

if ((unsigned int)$eflags & 1) 

set Seflags = (unsigned int)$eflags&~0xl 

else 

set Seflags = (unsigned int )$ef lags | 0x1 
end 
end 
end 

document cfc 
Syntax: cfc 
| Change Carry Flag, 
end 


define cfp 

if (((unsigned int)$eflags » 2) & 1) 

set Seflags = (unsigned int)$eflags&~0x4 

else 

set Seflags = (unsigned int )$ef lags | 0x4 
end 
end 

document cfp 
Syntax: cfp 
| Change Parity Flag, 
end 


define cfa 

if (((unsigned int)$eflags » 4) & 1) 

set Seflags = (unsigned int )$eflags&~0xl0 

else 

set Seflags = (unsigned int )$eflags| 0x10 
end 


end 

document cfa 
Syntax: cfa 

| Change Auxiliary Carry Flag, 
end 


define cfz 
# zero (Z), bit 30 
if SARM == 1 

set Stempflag = $cpsr->z 
if (Stempflag & 1) 

set $cpsr->z = $tempflag&~0xl 

else 

set $cpsr->z = Stempflag | 0x1 
end 
else 

if (((unsigned int)$eflags » 6) & 1) 

set Seflags = (unsigned int)$eflags&~0x40 



else 

set Seflags = (unsigned int )$ef lags | 0x40 
end 
end 
end 

document cfz 
Syntax: cfz 
| Change Zero Flag, 
end 


define cfs 

if (((unsigned int)$eflags » 7) & 1) 

set Seflags = (unsigned int )$eflags&~0x80 

else 

set Seflags = (unsigned int )$eflags| 0x80 
end 


end 

document cfs 
Syntax: cfs 
| Change Sign Flag, 
end 


define eft 

if (((unsigned int)$eflags »8) & 1) 

set Seflags = (unsigned int)$eflags&~0xl00 

else 

set Seflags = (unsigned int )$ef lags | 0x100 
end 


end 

document eft 
Syntax: eft 
| Change Trap Flag, 
end 


define efi 

if (((unsigned int)$eflags » 9) & 1) 

set Seflags = (unsigned int )Seflags&~0x200 

else 

set Seflags = (unsigned int )$eflags| 0x200 
end 
end 

document efi 
Syntax: efi 

| Change Interrupt Flag. 

j Only privileged applications (usually the OS kernel) may modify IF. 
j This only applies to protected mode (real mode code may always modify IF), 
end 


define cfd 

if (((unsigned int)$eflags »0xA) & 1) 

set Seflags = (unsigned int )$eflags&~0x400 

else 

set Seflags = (unsigned int )$ef lags | 0x400 
end 


end 



document cfd 
Syntax: cfd 

| Change Direction Flag, 
end 


define cfo 

if (((unsigned int)$eflags » 0xB) & 1) 

set Seflags = (unsigned int )$eflags&~0x800 

else 

set Seflags = (unsigned int )$eflags| 0x800 
end 
end 

document cfo 
Syntax: cfo 

| Change Overflow Flag, 
end 


# Overflow (V), bit 28 
define cfv 

if SARM == 1 

set Stempflag = $cpsr->v 
if (Stempflag & 1) 

set $cpsr->v = $tempflag&~0xl 

else 

set $cpsr->v = Stempflag | 0x1 
end 
end 
end 

document cfv 
Syntax: cfv 

| Change Overflow Flag, 
end 


# patch 

# the usual nops are mov r0, r0 for arm (OxelaOOOOO) 

# and mov r8,r8 in Thumb (0x46c0) 

# armv7 has other nops 

# FIXME : make sure that the interval fits the 32bits address for arm and 16bits for 
thumb 

# status: works, fixme 
define nop 

if (Sargc >2 | | Sargc == 0) 
help nop 
end 

if SARM == 1 

if (Sargc == 1) 

if ($cpsr->t &1) 

# thumb 

set *(short *)$arg0 = 0x46c0 

else 

# arm 

set *(int *)$arg0 = 0xela00000 
end 

else 


set Saddr = SargO 



if ($cpsr->t & 1) 

# thumb 

while ($addr < $argl) 

set *(short *)$addr = 0x46c0 
set Saddr = $addr + 2 
end 

else 

# arm 

while (Saddr < Sargl) 

set *(int *)$addr = 0xela00000 
set Saddr = Saddr + 4 
end 
end 
end 

else 

if (Sargc == 1) 

set ‘(unsigned char *)$arg0 = 0x90 
else 

set Saddr = SargO 
while (Saddr < Sargl) 

set ‘(unsigned char *)$addr = 0x90 
set Saddr = Saddr + 1 
end 
end 
end 
end 

document nop 

Syntax: nop ADDR1 [ADDR2] 

| Patch a single byte at address ADDR1, or a series of bytes between 
ADDR2 to a NOP (0x90) instruction. 

| ARM or Thumb code will be patched accordingly, 
end 


define null 

if ( Sargc >2 | | Sargc == 0) 
help null 
end 

if (Sargc == 1) 

set ‘(unsigned char *)$arg0 = 0 

else 

set Saddr = SargO 
while (Saddr < Sargl) 

set ‘(unsigned char *)$addr = 0 
set Saddr = Saddr +1 
end 
end 
end 

document null 

Syntax: null ADDR1 [ADDR2] 

| Patch a single byte at address ADDR1 to NULL (0x00), or a series of 

ADDRl and ADDR2 . 

end 

# FIXME : thumb breakpoint ? 
define int3 

if Sargc != 1 
help int3 


ADDRl and 


bytes between 



else 

if $ARM == 1 

set $0RIGINAL_INT3 = *( unsigned int *)$arg0 

set $0RIGINAL_INT3ADDRESS = $arg0 

set ‘(unsigned int*)$arg0 = 0xe7ffdefe 

else 

# save original bytes and address 

set $0RIGINAL_INT3 = ‘(unsigned char *)$arg0 
set $ORIGINAL_INT3ADDRESS = $arg0 

# patch 

set ‘(unsigned char *)$arg0 = 0xCC 
end 
end 
end 

document int3 
Syntax int3 ADDR 

| Patch byte at address ADDR to an INT3 (0xCC) instruction or the equivalent 

software breakpoint for ARM. 

end 


define rint3 

if $ARM == 1 

set ‘(unsigned int * )$ORIGINAL_INT3ADDRESS = $0RIGINAL_INT3 
set $pc = $0RIGINAL_INT3ADDRESS 

else 

set ‘(unsigned char * )$0RIGINAL_INT3ADDRESS = $0RIGINAL_INT3 
if (S64BITS == 1) 

set $rip = $ORIGINAL_INT3ADDRESS 

else 

set $eip = $0RIGINAL_INT3ADDRESS 
end 
end 
end 

document rint3 
Syntax: rint3 

| Restore the original byte previous to int3 patch issued with "int3" command. 


define patch 

if $argc 1= 3 
help patch 
end 

set Spatchaddr = $arg0 
set Spatchbytes = $argl 
set Spatchsize = $arg2 

if (Spatchsize == 1) 

set ‘(unsigned char* )$patchaddr = Spatchbytes 
end 

if (Spatchsize == 2) 

set Slendianbytes = (unsigned short) ( (Spatchbytes « 8) | (Spatchbytes » 

8 )) 

set ‘(unsigned short* )$patchaddr = Slendianbytes 
end 

if (Spatchsize == 4) 

set Slendianbytes = (unsigned int)( ((Spatchbytes « 8) & 0XFF00FF00 ) | 
((Spatchbytes » 8) & 0xFF00FF )) 

set Slendianbytes = (unsigned int ) (Slendianbytes « 0x10 | Slendianbytes » 



0x10) 

set ‘(unsigned int*)$patchaddr = Slendianbytes 
end 

if (Spatchsize == 8) 

set Slendianbytes = (unsigned long long)( ( (Spatchbytes « 8) & 
0XFF00FF00FF00FF00ULL ) | ((Spatchbytes » 8) & 0X00FF00FF00FF00FFULL ) ) 

set Slendianbytes = (unsigned long long)( ((Slendianbytes « 0x10) & 
0XFFFF0000FFFF0000ULL ) | ((Slendianbytes » 0x10) & 0X0000FFFF0000FFFFULL ) ) 
set Slendianbytes = (unsigned long long)( (Slendianbytes « 0x20) | 
(Slendianbytes » 0x20) ) 

set ‘(unsigned long long* )$patchaddr = Slendianbytes 
end 
end 

document patch 

Syntax: patch address bytes size 

| Patch a given address, converting the bytes to little-endian, 
j Assumes input bytes are unsigned values and should be in hexadecimal format 
(0x. ■ ■ ) ■ 

| Size must be 1, 2, 4, 8 bytes. 

j Main purpose is to be used with the output from the asm commands, 
end 

# cflow 

define print_insn_type 
if Sargc != 1 

help print_insn_type 

else 

if (Sarg0 < 0 | | Sarg0 > 5) 

printf "UNDEFINED/WRONG VALUE" 
end 

if ($arg0 == 0) 

printf "UNKNOWN" 
end 

if (SargO == 1) 
printf " JMP" 
end 

if (SargO == 2) 
printf " JCC" 
end 

if (SargO == 3) 
printf "CALL" 
end 

if (SargO == 4) 
printf "RET" 
end 

if (SargO == 5) 
printf "INT" 
end 
end 
end 

document print_insn_type 

Syntax: print_insn_type INSN_TYPE_NUMBER 

| Print human-readable mnemonic for the instruction type (usually $INSN_TYPE). 
end 


define get_insn_type 
if Sargc != 1 

help get_insn_type 



else 

set $INSN_TYPE = 0 

set $_bytel = * (unsigned char *)$arg0 
if ($_bytel == 0x9A | | $_bytel == 0xE8) 

# "call" 

set $INSN_TYPE = 3 
end 

if ($_bytel >= 0xE9 && $_bytel <= 0xEB) 

# "jmp" 

set $INSN_TYPE = 1 
end 

if ($_bytel >= 0x70 && $_bytel <= 0x7F) 

# "jcc" 

set $INSN_TYPE = 2 
end 

if ($_bytel >= 0xE0 && $_bytel <= 0xE3 ) 

# "jcc" 

set $INSN_TYPE = 2 
end 

if ($_bytel == 0xC2 | | $_bytel == 0xC3 | | $_bytel == 0xCA | | \ 
$_bytel == 0xCB | | $_bytel == 0xCF) 

# "ret" 

set $INSN_TYPE = 4 
end 

if ($_bytel >= 0xCC && $_bytel <= 0xCE) 

# "int" 

set $INSN_TYPE = 5 
end 

if ($_bytel == 0x0F ) 

# two-byte opcode 

set $_byte2 = * (unsigned char *)($arg0 + 1) 
if ($_byte2 >= 0x80 && $_byte2 <= 0x8F) 

# "jcc" 

set $INSN_TYPE = 2 
end 
end 

if ($_bytel == 0xFF) 

# opcode extension 

set $_byte2 = * (unsigned char *)($arg0 + 1) 
set $_opext = ($_byte2 & 0x38) 
if ($_opext == 0x10 | | $_opext == 0x18) 

# "call" 

set $INSN_TYPE = 3 
end 

if ($_opext == 0x20 | | $_opext == 0x28) 

# "jmp" 

set $INSN_TYPE = 1 
end 
end 
end 
end 

document get_insn_type 

Syntax: get_insn_type ADDR 

| Recognize instruction type at address ADDR. 

j Take address ADDR and set the global $INSN_TYPE variable to 

j 0, 1, 2, 3, 4, 5 if the instruction at that address is 

j unknown, a jump, a conditional jump, a call, a return, or an interrupt. 

end 



define step_to_call 

set $_saved_ctx = $SHOW_CONTEXT 
set $SHOW_CONTEXT = 0 
set $SHOW_NEST_INSN = 0 

set logging file /dev/null 
set logging redirect on 
set logging on 

set $_cont = 1 
while ($_cont > 0) 
stepi 

get_insn_type $pc 
if ($INSN_TYPE == 3) 
set $_cont = 0 
end 
end 

set logging off 

if ($_saved_ctx >0) 
context 
end 

set $SHOW_CONTEXT = $_saved_ctx 
set $SHOW_NEST_INSN = 0 

set logging file -Vgdb.txt 
set logging redirect off 
set logging on 

printf "step_to_call command stopped at:\n 
x/i $pc 
printf "\n" 
set logging off 


end 

document step_to_call 
Syntax: step_to_call 

| Single step until a call instruction is found, 
j Stop before the call is taken, 
j Log is written into the file -Vgdb.txt. 
end 


define trace_calls 

printf "Tracing ... please wait...\n" 

set $_saved_ctx = $SHOW_CONTEXT 
set $SHOW_CONTEXT = 0 
set $SHOW_NEST_INSN = 0 
set $_nest = 1 
set listsize 0 

set logging overwrite on 

set logging file ~/gdb_trace_calls . txt 

set logging on 



set logging off 

set logging overwrite off 


while ($_nest > 0) 
get_insn_type $pc 

# handle nesting 

if ($INSN_TYPE == 3) 

set $_nest = $_nest + 1 

else 

if ($INSN_TYPE == 4) 

set $_nest = $_nest - 1 
end 
end 

# if a call, print it 
if ($INSN_TYPE == 3) 

set logging file ~/gdb_trace_calls . txt 
set logging redirect off 
set logging on 

set $x = $_nest - 2 
while ($x > 0) 
printf "\t" 
set $x = $x - 1 
end 

x/i $pc 
end 


end 


set logging 
set logging 
set logging 
set logging 
stepi 

set logging 
set logging 


off 

file /dev/null 
redirect on 
on 

redirect off 
off 


set $SHOW_CONTEXT = $_saved_ctx 
set $SHOW_NEST_INSN = 0 

printf "Done, check ~/gdb_trace_calls . txt\n" 
end 

document trace_calls 
Syntax: trace_calls 

| Create a runtime trace of the calls made by target, 
j Log overwrites( ! ) the file ~/gdb_trace_calls . txt . 
end 


define trace_run 

printf "Tracing ... please wait...\n" 

set $_saved_ctx = $show_context 

set $SHOW_CONTEXT = 0 

set $SHOW_NEST_INSN = 1 

set logging overwrite on 

set logging file ~/gdb_trace_run . txt 

set logging redirect on 

set logging on 



set $_nest = 1 


while ( $_nest > 0 ) 

get_insn_type $pc 
# jmp, jcc, or ell 
if ($INSN_TYPE == 3) 

set $_nest = $_nest + 1 

else 

# ret 

if ($INSN_TYPE == 4) 

set $_nest = $_nest - 1 
end 
end 
stepi 
end 

printf "\n" 

set $SHOW_CONTEXT = $_saved_ctx 
set $SHOW_NEST_INSN = 0 
set logging redirect off 
set logging off 

# clean up trace file 

shell grep -v 1 at 1 ~/gdb_trace_run . txt > ~/gdb_trace_run . 1 
shell grep -v ' in ' ~/gdb_trace_run . 1 > ~/gdb_trace_run . txt 
shell rm -f ~/gdb_trace_run . 1 
printf "Done, check ~/gdb_trace_run . txt\n" 
end 

document trace_run 
Syntax: trace_run 

| Create a runtime trace of target. 

j Log overwrites( ! ) the file ~/gdb_trace_run . txt . 

end 

define entry_point 

set logging redirect on 

set logging file /tmp/gdb-entry_point 

set logging on 

info files 

set logging off 

shell entry_point="$(/usr/bin/grep 'Entry point:' /tmp/gdb-entry_point | 
/usr/bin/awk '{ print $3 }')"; echo "$entry_point" ; echo 'set $entry_point_address 
= ' "$entry_point" > /tmp/gdb-entry_point 
source /tmp/gdb-entry_point 
shell /bin/rm -f /tmp/gdb-entry_point 
end 

document entry_point 
Syntax: entry_point 

| Prints the entry point address of the target and stores it in the variable 

entry_point . 

end 


define break_entrypoint 



entry_point 

break *$entry_point_address 
end 

document break_entrypoint 
Syntax: break_entrypoint 

| Sets a breakpoint on the entry point of the target, 
end 

define objc_symbols 

set logging redirect on 

set logging file /tmp/gdb-objc_symbols 

set logging on 

info target 

set logging off 

# XXX: define paths for objc-symbols and SymTabCreator 

shell target="$(/usr/bin/head -1 /tmp/gdb-objc_symbols | /usr/bin/head -1 
| /usr/bin/awk -F "" '{ print $2 objc-symbols "Starget" | SymTabCreator 

-o /tmp/gdb-symtab 

set logging on 

add-symbol-file /tmp/gdb-symtab 
set logging off 

shell /bin/rm -f /tmp/gdb-objc_symbols 
end 

document objc_symbols 
Syntax: objc_symbols 

| Loads stripped objc symbols into gdb using objc-symbols and SymTabCreator 
j See http : //stackoverf low. com/questions/17554070/import- class -dump -info -into -gdb 
j and https://github.com/0xced/class-durnp/tree/objc-symbols (for the required 
utils) 
end 

#define ptraceme 

# catch syscall ptrace 

# commands 

# if (S64BITS == 0) 

# if ($ebx == 0) 

# set $eax = 0 

# continue 

# end 

# else 

# if ($rdi == 0) 

# set $rax = 0 

# continue 

# end 

# end 

# end 

# set $ptrace_bpnum = $bpnum 

#end 

#document ptraceme 
#Syntax: ptraceme 

#| Hook ptrace to bypass PTRACE_TRACEME anti debugging technique 
#end 

define rptraceme 

if ($ptrace_bpnum != 0) 



delete $ptrace_bpnum 
set $ptrace_bpnum = 0 
end 
end 

document rptraceme 
Syntax: rptraceme 
| Remove ptrace hook, 
end 


# misc 

define hook-stop 

if (sizeof (void*) == 8) 
set S64BITS = 1 

else 

set $64BITS = 0 
end 

if (SKDP64BITS ! = -1) 
if (SKDP64BITS == 0) 
set S64BITS = 0 

else 

set S64BITS = 1 
end 
end 

# Display instructions formats 
if $ARM == 1 

if SARMOPCODES == 1 

set arm show-opcode-bytes 1 
end 

else 

if SX86FLAV0R == 0 

set disassembly-flavor intel 

else 

set disassembly-flavor att 
end 
end 

# this makes 'context' be called at every BP/step 
if ($SHOW_CONTEXT > 0) 

context 

end 

if ( $SHOW_N EST_I NSN > 0) 
set $x = $_nest 
while ($x > 0) 
printf "\t" 
set $x = $x - 1 
end 
end 
end 

document hook-stop 
Syntax: hook-stop 

| ! ! ! FOR INTERNAL USE ONLY - DO NOT CALL ! ! ! 
end 


# original by Tavis Ormandy (http://my.opera.com/taviso/blog/index.dml/tag/gdb) 
(great fix ! ) 



# modified to work with Mac OS X by f G ! 

# seems nasm shipping with Mac OS X has problems accepting input from stdin or 
heredoc 

# input is read into a variable and sent to a temporary file which nasm can read 
define assemble 

# dont enter routine again if user hits enter 

dont-repeat 

if (Sargc) 

if (*$arg0 = *$arg0) 

# check if we have a valid address by dereferencing it, 

# if we havnt, this will cause the routine to exit, 
end 

printf "Instructions will be written to %#x.\n", $arg0 

else 

printf "Instructions will be written to stdout. \n" 
end 

printf "Type instructions, one per line." 
color_bold 

printf " Do not forget to use NASM assembler syntax !\n" 
color_reset 

printf "End with a line saying just Y'endV'An" 

if (Sargc) 

if (S64BITS == 1) 

# argument specified, assemble instructions into memory at address 

specified . 

shell ASMOPCODE="$( while read -ep ' >' r && test "$r" != end ; do echo 
-E "$r" ; done)" ; GDBASMFILENAME=$RANDOM; \ 

echo -e "BITS 64\n$ASM0PC0DE" >/tmp/$GDBASMFILENAME ; 
/usr/local/bin/nasm -f bin -o /dev/stdout /tmp/$GDBASMFILENAME | /usr/bin/hexdump 
-ve '1/1 "set *((unsigned char *) SargO + %#2_ax) = %#02x\n"' 

>/tmp/gdbassemble ; /bin/rm -f /tmp/$GDBASMFILENAME 
source /tmp/gdbassemble 

# all done, clean the temporary file 
shell /bin/rm -f /tmp/gdbassemble 

else 

# argument specified, assemble instructions into memory at address 

specified . 

shell ASMOPCODE="$( while read -ep 1 >' r && test "$r" != end ; do echo 
-E "$r" ; done)" ; GDBASMFILENAME=$RANDOM; \ 

echo -e "BITS 32\n$ASM0PC0DE" >/tmp/$GDBASMFILENAME ; /usr/bin/nasm 
-f bin -o /dev/stdout /tmp/$GDBASMFlLENAME | /usr/bin/hexdump -ve '1/1 "set 
*( (unsigned char *) SargO + %#2_ax) = %#02x\n"' >/tmp/gdbassemble ; /bin/rm -f 
/tmp/$GDBASMFILENAME 

source /tmp/gdbassemble 

# all done, clean the temporary file 

shell /bin/rm -f /tmp/gdbassemble 
end 
else 

if (S64BITS == 1) 

# no argument, assemble instructions to stdout 

shell ASMOPCODE="$( while read -ep 1 >' r && test "$r" != end ; do echo 
-E "$r" ; done)" ; GDBASMFILENAME=$RANDOM; \ 

echo -e "BITS 64\n$ASM0PC0DE" >/tmp/$GDBASMFILENAME ; 
/usr/local/bin/nasm -f bin -o /dev/stdout /tmp/$GDBASMFILENAME | 
/usr/local/bin/ndisasm -i -b64 /dev/stdin ; \ 

/bin/rm -f /tmp/$GDBASMFILENAME 

else 

# no argument, assemble instructions to stdout 



shell ASMOPCODE="$( while read -ep 1 >' r && test "$r" != end ; do echo 
-E "$r" ; done)" ; GDBASMFILENAME=$RANDOM; \ 

echo -e "BITS 32\n$ASM0PC0DE" >/tmp/$GDBASMFILENAME ; /usr/bin/nasm -f 
bin -o /dev/stdout /tmp/$GDBASMFILENAME | /usr/bin/ndisasm -i -b32 /dev/stdin ; \ 
/bin/rm -f /tmp/$GDBASMFILENAME 
end 
end 
end 

document assemble 
Syntax: assemble <ADDR> 

| Assemble instructions using nasm. 
j Type a line containing "end" to indicate the end. 

j If an address is specified, insert/modify instructions at that address, 
j If no address is specified, assembled instructions are printed to stdout. 
j Use the pseudo instruction "org ADDR" to set the base address, 
end 

define assemble32 

# dont enter routine again if user hits enter 

dont-repeat 

if ($argc) 

if (*$arg0 = *$arg0) 

# check if we have a valid address by dereferencing it, 

# if we havnt, this will cause the routine to exit, 
end 

printf "Instructions will be written to %#x.\n", $arg0 

else 

printf "Instructions will be written to stdout. \n" 
end 

printf "Type instructions, one per line." 
color_bold 

printf " Do not forget to use NASM assembler syntax !\n" 
color_reset 

printf "End with a line saying just \"end\".\n" 
if ($argc) 

# argument specified, assemble instructions into memory at address 
specified . 

shell ASMOPCODE="$( while read -ep ’>' r && test "$r" !“ end ; do echo -E 
"$r" ; done)" ; GDBASMFILENAME=$RANDOM ; \ 

echo -e "BITS 32\n$ASM0PC0DE" >/tmp/$GDBASMFILENAME ; /usr/bin/nasm -f bin 
-o /dev/stdout /tmp/$GDBASMFILENAME | /usr/bin/hexdump -ve '1/1 "set ‘((unsigned 
char *) $arg0 + %#2_ax) = %#02x\n"' >/tmp/gdbassemble ; /bin/rm -f /tmp/ 
SGDBASMFILENAME 

source /tmp/gdbassemble 

# all done, clean the temporary file 
shell /bin/rm -f /tmp/gdbassemble 

else 

# no argument, assemble instructions to stdout 

shell ASMOPCODE="$( while read -ep '>' r && test "$r" i~ end ; do echo -E 
"$r" ; done)" ; GDBASMFILENAME=$RANDOM; \ 

echo -e "BITS 32\n$ASM0PC0DE" >/tmp/$GDBASMFILENAME ; /usr/bin/nasm -f bin 
-o /dev/stdout /tmp/$GDBASMFILENAME | /usr/bin/ndisasm -i -b32 /dev/stdin ; \ 
/bin/rm -f /tmp/$GDBASMFILENAME 
end 
end 

document assemble32 
Syntax: assemble32 <ADDR> 

| Assemble 32 bits instructions using nasm. 



| Type a line containing "end" to indicate the end. 

j If an address is specified, insert/modify instructions at that address, 
j If no address is specified, assembled instructions are printed to stdout. 
j Use the pseudo instruction "org ADDR" to set the base address, 
end 

define assemble64 

# dont enter routine again if user hits enter 

dont-repeat 

if ($argc) 

if (*$arg0 = *$arg0) 

# check if we have a valid address by dereferencing it, 

# if we havnt, this will cause the routine to exit, 
end 

printf "Instructions will be written to %#x.\n", $arg0 

else 

printf "Instructions will be written to stdout. \n" 
end 

printf "Type instructions, one per line." 
color_bold 

printf " Do not forget to use NASM assembler syntax !\n" 
color_reset 

printf "End with a line saying just \"end\".\n" 
if ($argc) 

# argument specified, assemble instructions into memory at address 
specified . 

shell ASMOPCODE="$( while read -ep '>' r && test "$r" != end ; do echo -E 
"$r" ; done)" ; GDBASMFILENAME=$RANDOM; \ 

echo -e "BITS 64\n$ASM0PC0DE" >/tmp/$GDBASMFILENAME ; /usr/local/bin/nasm 
-f bin -o /dev/stdout /tmp/$GDBASMFlLENAME | /usr/bin/hexdump -ve '1/1 "set 
‘((unsigned char *) $arg0 + %#2_ax) = %#02x\n"' >/tmp/gdbassemble ; /bin/rm -f 
/tmp/$GDBASMFILENAME 

source /tmp/gdbassemble 

# all done, clean the temporary file 
shell /bin/rm -f /tmp/gdbassemble 

else 

# no argument, assemble instructions to stdout 

shell ASMOPCODE="$( while read -ep ’>' r && test "$r" != end ; do echo -E 
"$r" ; done)" ; GDBASMFILENAME=$RANDOM; \ 

echo -e "BITS 64\n$ASM0PC0DE" >/tmp/$GDBASMFILENAME ; /usr/local/bin/nasm 
-f bin -o /dev/stdout /tmp/$GDBASMFlLENAME | /usr/local/bin/ndisasm -i -b64 
/dev/stdin ; \ 

/bin/rm -f /tmp/$GDBASMFILENAME 
end 
end 

document assemble64 
Syntax: assemble64 <ADDR> 

| Assemble 64 bits instructions using nasm. 
j Type a line containing "end" to indicate the end. 

j If an address is specified, insert/modify instructions at that address, 
j If no address is specified, assembled instructions are printed to stdout. 
j Use the pseudo instruction "org ADDR" to set the base address, 
end 

define asm 

if $argc == 1 

assemble $arg0 


else 



assemble 

end 

end 

document asm 
Syntax: asm <ADDR> 

| Shortcut to the asssemble command, 
end 

define asm32 

if $argc == 1 

assemble32 SargO 

else 

assemble32 

end 

end 

document asm32 
Syntax: asm32 <ADDR> 

| Shortcut to the assemble32 command, 
end 

define asm64 

if $argc == 1 

assemble64 SargO 

else 

assemble64 

end 

end 

document asm64 
Syntax: asm64 <ADDR> 

| Shortcut to the assemble64 command, 
end 

define assemble_gas 

printf "\nType code to assemble and hit Ctrl-D when finished. \n" 
printf "You must use GNU assembler (AT&T) syntax. \n" 

shell filename=$(mktemp) ; \ 

binfilename=$(mktemp) ; \ 

echo -e "Writing into: ${filename}\n" ; \ 

cat > Sfilename; echo \ 

as -o Sbinfilename < Sfilename; \ 

objdump -d -j .text Sbinfilename; \ 

rm -f Sbinfilename; \ 

rm -f Sfilename; \ 

echo -e "temporaly files deleted. \n" 
end 

document assemble_gas 
Syntax: assemble_gas 

| Assemble instructions to binary opcodes. Uses GNU as and objdump. 
end 


define dump_hexfile 

dump ihex memory SargO Sargl Sarg2 
end 

document dump_hexfile 

Syntax: dump_hexfile FILENAME ADDR1 ADDR2 

| Write a range of memory to a file in Intel ihex (hexdump) format, 
j The range is specified by ADDR1 and ADDR2 addresses. 



end 


define dump_binfile 

dump memory $arg0 Sargl $arg2 
end 

document dump_binfile 

Syntax: dump_binfile FILENAME ADDR1 ADDR2 
| Write a range of memory to a binary file, 
j The range is specified by ADDR1 and ADDR2 addresses, 
end 


define dumpmacho 
if $argc != 2 

help dumpmacho 
end 

set Sheadermagic = *$arg0 

# the || operator isn't working as it should, wtflU 
if Sheadermagic != Oxfeedface 

if Sheadermagic != Oxfeedfacf 

printf "[Error] Target address doesn't contain a valid Mach-0 

binary !\n" 

help dumpmacho 
end 
end 

set Sheaderdumpsize = *(Sarg0+Oxl4) 
if Sheadermagic == Oxfeedface 

dump memory Sargl SargO (SargO+Oxlc+Sheaderdumpsize) 
end 

if Sheadermagic == Oxfeedfacf 

dump memory Sargl SargO (Sarg0+0x20+$headerdumpsize) 
end 
end 

document dumpmacho 

Syntax: dumpmacho STARTADDRESS FILENAME 
| Dump the Mach-0 header to a file. 

j You need to input the start address (use info shared command to find it). 


define els 

shell clear 
end 

document els 
Syntax: els 
| Clear screen, 
end 


define search 

set Sstart = (char *) SargO 
set Send = (char *) Sargl 
set Spattern = (short) Sarg2 
set $p = Sstart 
while $p < Send 

if (*(short *) $p) == Spattern 

printf "pattern 0x%hx found at 0x%x\n", Spattern, $p 


end 



set $p++ 


end 

end 

document search 

Syntax: search <START> <END> <PATTERN> 

| Search for the given pattern beetween Sstart and Send address, 
end 


# user tips 

# The 'tips' command is used to provide tutorial-like info to the user 
define tips 

printf "Tip Topic Commands :\n" 

printf "\ttip_display : Automatically display values on each break\n" 
printf "\ttip_patch : Patching binaries\n" 
printf "\ttip_strip : Dealing with stripped binaries\n" 
printf "\ttip_syntax : AT&T vs Intel syntax\n" 
end 

document tips 
Syntax: tips 

| Provide a list of tips from users on various topics, 
end 


define tip_patch 
printf "\n" 

printf " PATCHING MEMORYXn" 

printf "Any address can be patched using the 'set' commandin'' 
printf "\t'set ADDR = VALUE' \te.g. 'set *0x8049D6E = 0x90'\n" 
printf "\n" 

printf " PATCHING BINARY FILESXn" 

printf "Use 'set write' in order to patch the target executable\n" 

printf "directly, instead of just patching memory\n" 

printf "\t'set write on' \t'set write off'Xn" 

printf "Note that this means any patches to the code or data segments\n" 
printf "will be written to the executable file\n" 
printf "When either of these commands has been issued, \n" 
printf "the file must be reloaded. \n" 
printf "\n" 
end 

document tip_patch 
Syntax: tip_patch 

| Tips on patching memory and binary files, 
end 


define tip_strip 
printf "\n" 

printf " STOPPING BINARIES AT ENTRY POINTXn" 

printf "Stripped binaries have no symbols, and are therefore tough to\n" 
printf "start automatically. To debug a stripped binary, use\n" 
printf "\tinfo file\n" 

printf "to get the entry point of the file\n" 

printf "The first few lines of output will look like this:\n" 

printf "\tSymbols from '/tmp/a.out ’\n" 

printf "\tLocal exec file:\n" 

printf "\t '/tmp/a.out', file type elf32-i386 . \n" 

printf "\t Entry point: 0x80482e0\n" 

printf "Use this entry point to set an entry point :\n" 



printf "Xt'tbreak *0x80482e0'\n" 

printf "The breakpoint will delete itself after the program stops as\n" 
printf "the entry point\n" 
printf "\n" 
end 

document tip_strip 
Syntax: tip_strip 

| Tips on dealing with stripped binaries, 
end 


define tip_syntax 


printf 

"\n" 




printf 

"\t INTEL SYNTAX 

AT&T SYNTAXXn" 

printf 

"\tmnemonic dest 

, src, imm 

mnemonic src, 

dest, imm\n" 

printf 

"\t [base+index*scale+disp] 

disp(base, index, scale)\n" 

printf 

"\tregister : 

eax 

register : 

%%eax\n" 

printf 

"\timmediate: 

0xFF 

immediate: 

$0xFF\n" 

printf 

"\tdereference : 

[addr] 

dereference : 

addr( , l)\n" 

printf 

"\tabsolute addr 

: addr 

absolute addr 

■: *addr\n" 

printf 

"\tbyte insn: 

mov byte ptr 

byte insn: 

movb\n" 

printf 

"\tword insn: 

mov word ptr 

word insn: 

movw\n" 

printf 

"\tdword insn: 

mov dword ptr 

dword insn: 

movd\n" 

printf 

"\tfar call: 

call far 

far call: 

lcall\n" 

printf 

"\tfar jump: 

jmp far 

far jump: 

ljmp\n" 

printf 

"\n" 




printf 

"Note that order 

of operands in 

reversed, and that 

AT&T syntax\n" 

printf 

"requires that all instructions 

referencing memory 

operands \n" 

printf 

"use an operand : 

size suffix (b, 

w, d, q)\n" 


printf 

"\n" 





end 

document tip_syntax 
Syntax: tip_syntax 

| Summary of Intel and AT&T syntax differences, 
end 


define tip_ 
printf 
printf 
printf 
printf 
printf 
printf 
printf 
printf 
printf 
printf 
printf 
printf 


display 

"\n" 

"Any expression can be set to automatically be displayed every time\n" 
"the target stops. The commands for this are:\n" 


"\t 'display expr 
"\t' display 1 
"\t ' undisplay num 
"Examples : \n" 

"\t 'display/x *(int *)$esp' 

"\t 'display/x *(int *)($ebp+8)' 
"\t 'display (char *)$esi' 

"\t 'display (char *)$edi' 

"\n" 


automatically display expression ’expr'Xn" 

show all displayed expressions'^" 

turn off autodisplay for expression # 'num 


print top of stack\n" 
print first parameter\n" 
print source string\n" 
print destination string\n" 


end 

document tip_display 
Syntax: tip_display 

| Tips on automatically displaying values when a program stops, 
end 


# bunch of semi-useless commands 


# enable and disable shortcuts for stop-on-solib-events fantastic trick! 



define enablesolib 

set stop-on-solib-events 1 
printf "Stop-on-solib-events is enabled !\n" 
end 

document enablesolib 
Syntax: enablesolib 

| Shortcut to enable stop-on-solib-events trick, 
end 


define disablesolib 

set stop-on-solib-events 0 
printf "Stop-on-solib-events is disabled !\n" 
end 

document disablesolib 
Syntax: disablesolib 

| Shortcut to disable stop-on-solib-events trick, 
end 


# enable commands for different displays 
define enableobjectivec 

set SSHOWOB J ECTIVEC = 1 
end 

document enableobjectivec 
Syntax: enableobjectivec 

| Enable display of objective-c information in the context window, 
end 


define enablecpuregisters 

set SSHOWCPUREGISTERS = 1 
end 

document enablecpuregisters 
Syntax: enablecpuregisters 

| Enable display of cpu registers in the context window, 
end 


define enablestack 

set SSHOWSTACK = 1 
end 

document enablestack 
Syntax: enablestack 

| Enable display of stack in the context window, 
end 


define enabledatawin 

set SSHOWDATAWIN = 1 
end 

document enabledatawin 
Syntax: enabledatawin 

| Enable display of data window in the context window, 
end 


# disable commands for different displays 
define disableobjectivec 



set SSHOWOB J ECTIVEC = 0 
end 

document disableobjectivec 
Syntax: disableobjectivec 

| Disable display of objective-c information in the context window, 
end 


define disablecpuregisters 

set SSHOWCPUREGISTERS = 0 
end 

document disablecpuregisters 
Syntax: disablecpuregisters 

| Disable display of cpu registers in the context window, 
end 


define disablestack 

set SSHOWSTACK = 0 
end 

document disablestack 
Syntax: disablestack 

| Disable display of stack information in the context window, 
end 


define disabledatawin 

set SSHOWDATAWIN = 0 
end 

document disabledatawin 
Syntax: disabledatawin 

| Disable display of data window in the context window, 
end 


define arm 

if SARMOPCODES == 1 

set arm show-opcode-bytes 1 
end 

set $ARM = 1 
end 

document arm 
Syntax: arm 

| Set gdb to work with ARM binaries, 
end 

define ioskdp 

set $SHOW_CONTEXT = 0 
set $SHOW_NEST_INSN = 0 
end 

document ioskdp 
Syntax: ioskdp 

| Disable dumping context information for iOS KDP debugging 
end 

define intelsyntax 
if $ARM == 0 

set disassembly-flavor intel 
set $X86 FLAVOR = 0 



end 

end 

document intelsyntax 
Syntax: intelsyntax 

| Change disassembly syntax to intel flavor, 
end 


define attsyntax 
if $ARM == 0 

set disassembly-flavor att 
set SX86FLAVOR = 1 
end 
end 

document attsyntax 
Syntax: attsyntax 

| Change disassembly syntax to at&t flavor, 
end 

define kernel32 
if $argc != 0 

# try to load kgmacros files 

# failure is silent if non-existent... 
source $arg0 

set architecture i386 
if $argc == 2 

target remote localhost :$argl 

else 

target remote localhost : 8832 
end 

else 

help kernel32 
end 
end 

document kernel32 

Syntax: kernel32 PATH_TO_KGMACROS <PORT> 

| Attach to VMware gdb stub for 32 bits kernel, 
j The path to kgmacros must be supplied as first parameter. 

j If you don't want to load kgmacros just put something as the first parameter, 
j Optional parameter is the port to connect to, in case you are not using the 
default 8832 

| or want to kernel debug more than one active virtual machine. 

j By supplying a bogus kgmacros this command should be compatible with any OS. 

end 

define kernel64 
if $argc I- 0 

# try to load kgmacros files 

# failure is silent if non-existent... 
source $arg0 

set architecture i386:x86-64 
if $argc == 2 

target remote localhost :$argl 

else 

target remote localhost : 8864 
end 

else 

help kernel64 
end 



end 

document kernel64 

Syntax: kernel64 PATH_TO_KGMACROS <PORT> 

| Attach to VMware gdb stub for 64 bits kernel, 
j The path to kgmacros must be supplied as first parameter. 

j If you don't want to load kgmacros just put something as the first parameter, 
j Optional parameter is the port to connect to, in case you are not using the 
default 8864 

| or want to kernel debug more than one active virtual machine. 

j By supplying a bogus kgmacros this command should be compatible with any OS. 

end 

define 32bits 

set $KDP64BITS = 0 
set S64BITS = 0 
end 

define 64bits 

set SKDP64BITS = 1 
set S64BITS = 1 
end 

define resetkdp 

set SKDP64BITS = -1 
end 

define header 

if $argc != 1 
help header 

else 

dump memory /tmp/gdbinit_header_dump $arg0 $arg0 + 4096 
shell /usr/bin/otool -h /tmp/gdbinit_header_dump 
shell /bin/rm -f /tmp/gdbinit_header_dump 
end 
end 

document header 

Syntax: header MACHO_HEADER_START_ADDRESS 

| Dump the Mach-0 header located at given address 

end 

define loadcmds 
if Sargc != 1 

help loadcmds 

else 

# this size should be good enough for most binaries 
dump memory /tmp/gdbinit_header_dump $arg0 $arg0 + 4096 * 10 
shell /usr/bin/otool -1 /tmp/gdbinit_header_dump 
shell /bin/rm -f /tmp/gdbinit_header_dump 
end 
end 

document loadcmds 

Syntax: loadcmds MAC H 0_H EAD E R_ST ART_AD D RESS 

| Dump the Mach-0 load commands 

end 

# defining it here doesn't get the space #$#$%"#! 
define disablecolorprompt 
set prompt gdb$ 


end 



document disablecolorprompt 
| Remove color from prompt 
end 

define enablecolorprompt 

set prompt \033[31mgdb$ \033[0m 
end 

document enablecolorprompt 
| Enable color prompt 
end 

#EOF 

# Older change logs: 

# 

# Version 7.4.4 (02/01/2012) 

# - Added the "skip" command. This will jump to the next instruction after 
EIP/RIP without executing the current one. 

# Thanks to §bSr43 for the tip to retrieve the current instruction size. 

# 

# Version 7.4.3 (04/11/2011) 

# - Modified "hexdump" command to support a variable number of lines 
(optional parameter) 

# - Removed restrictions on type of addresses in the "dd" command - Thanks to 
Plouj for the warning :-) 

# I don't know what was the original thinking behind those :-) 

# - Modified the assemble command to support 64bits - You will need to 
recompile nasm since the version shipped with OS X doesn't supports 64bits 
(www.nasm.us) . 

# Assumes that the new binary is installed at /usr/local/bin - modify the 
variable at the top if you need so. 

# It will assemble based on the target arch being debugged. If you want to 
use gdb for a quick asm just use the 32bits or 64bits commands to set your target. 

# Thanks to snare for the warning and original patch :-) 

# - Added "asm" command - it's a shortcut to the "assemble" command. 

# - Added configuration variable for colorized prompt. Plouj reported some 
issues with Ubuntu's gdb 7.2 if prompt is colorized. 

# 

# Version 7.4.2 (11/08/2011) 

# Small fix to a weird bug happening on FreeBSD 8.2. It doesn't like a "if(" 
instruction, needs to be "if (". Weird! 

# Many thanks to Evan for reporting and sending the patch :-) 

# Added the ptraceme/rptraceme commands to bypass PTRACE_TRACME anti-debugging 
technique . 

# Grabbed this from http://falken.tuxfamily.org/?p=171 

# It's commented out due to a gdb problem in OS X (refer to 

http : //reverse . put . as/2011/08/20/anot her -patch -for -apples -gdb -the- definecommands- 
problem/ ) 

# Just uncomment it if you want to use in ptrace enabled systems. 

# 

# Version 7.4.1 (21/06/2011) - f G ! 

# Added patch sent by sbz, more than 1 year ago, which I forgot to add :-/ 

# This will allow to search for a given pattern between start and end address. 

# On sbz words: "It's usefull to find call, ret or everything like that." :-) 

# New command is "search" 

# 

# Version 7.4 (20/06/2011) - f G ! 

# When registers change between instructions the color will change to red (like 
it happens in OllyDBG) 



# This is the default behavior, if you don't like it, modify the variable 
SHOWREGCHANGES 

# Added patch sent by Philippe Langlois 

# color the first disassembly line - change the setting below on 
SETCOLOR1STLINE - by default it's disabled 

# 

# Version 7.3.2 (21/02/2011) - f G ! 

# Added the command rint3 and modified the int3 command. The new command will 
restore the byte in previous int3 patch. 

# 

# Version 7.3.1 (29/06/2010) - f G ! 

# Added enablelib/disablelib command to quickly set the stop-on-solib-events 
trick 

# Implemented the stepoh command equivalent to the stepo but using hardware 
breakpoints 

# More fixes to stepo 

# 

# Version 7.3 (16/04/2010) - f G ! 

# Support for 64bits targets. Default is 32bits, you should modify the 
variable or use the 32bits or 64bits to choose the mode. 

# I couldn't find another way to recognize the type of binary... Testing 
the register doesn't work that well. 

# TODO: fix objectivec messages and stepo for 64bits 

# Version 7.2.1 (24/11/2009) - f G ! 

# Another fix to stepo (0xFF92 missing) 

# 

# Version 7.2 (11/10/2009) - f G ! 

# Added the smallregisters function to create 16 and 8 bit versions from the 
registers EAX, EBX, ECX, EDX 

# Revised and fixed all the dump jump stuff, following Intel manuals. There 
were some errors (thx to rev who pointed the jle problem). 

# Small fix to stepo command (missed a few call types) 

# 

# Version 7.1.7 - f G ! 

# Added the possibility to modify what's displayed with the context window. You 
can change default options at the gdb options part. For example, kernel debugging 
is much slower if the stack display is enabled... 

# New commands enableobjectivec, enablecpuregisters, enablestack, enabledatawin 
and their disable equivalents (to support realtime change of default options) 

# Fixed problem with the assemble command. I was calling /bin/echo which 
doesn't support the -e option ! DUH ! Should have used bash internal version. 

# Small fixes to colors... 

# New commands enablesolib and disablesolib . Just shortcuts for the stop-on- 
solib-events fantastic trick ! Hey... I'm lazy ;) 

# Fixed this: Possible removal of "u" command, info udot is missing in gdb 6.8- 
debian . Doesn't exist on OS X so bye bye ! ! ! 

# Displays affected flags in jump decisions 

# 

# Version 7.1.6 - f G ! 

# Added modified assemble command from Tavis Ormandy (further modified to work 
with Mac OS X) (shell commands used use full path name, working for Leopard, modify 
for others if necessary) 

# Renamed thread command to threads because thread is an internal gdb command 
that allows to move between program threads 

# 

# Version 7.1.5 (04/01/2009) - fGJ 

# Fixed crash on Leopard ! There was a If Else condition where the else had no 
code and that made gdb crash on Leopard (CRAZY!!!!) 

# Better code indention 



# 

# Version 7.1.4 (02/01/2009) - f G ! 

# Bug in show objective c messages with Leopard ??? 

# Nop routine support for single address or range (contribution from gin 
[ghalen at hack.se]) 

# Used the same code from nop to null routine 

# 

# Version 7.1.3 (31/12/2008) - f G ! 

# Added a new command 'stepo'. This command will step a temporary breakpoint on 
next instruction after the call, so you can skip over 

# the call. Did this because normal commands not always skip over (mainly with 
objc_msgSend) 

# 

# Version 7.1.2 (31/12/2008) - f G ! 

# Support for the jump decision (will display if a conditional jump will be 
taken or not) 

# 

# Version 7.1.1 (29/12/2008) - f G ! 

# Moved gdb options to the beginning (makes more sense) 

# Added support to dump message being sent to msgSend (easier to understand 
what's going on) 

# 

# Version 7.1 

# Fixed serious (and old) bug in dd and datawin, causing dereference of 

# obviously invalid address. See below: 

# gdb$ dd Oxffffffff 

# FFFFFFFF : Cannot access memory at address ©xffffffff 

# 

# Version 7.0 

# Added els command. 

# Improved documentation of many commands. 

# Removed bp_alloc, was neither portable nor usefull. 

# Checking of passed argument(s) in these commands: 

# contextsize-stack, contextsize-data, contextsize-code 

# bp, bpc, bpe, bpd, bpt, bpm, bhb, . . . 

# Fixed bp and bhb inconsistencies, look at * signs in Version 6.2 

# Bugfix in bhb command, changed "break" to "hb" command body 

# Removed $SHOW_CONTEXT=l from several commands, this variable 

# should only be controlled globally with context-on and context-off 

# Improved stack, func, var and sig, dis, n, go, . . . 

# they take optional argument(s) now 

# Fixed wrong $SHOW_CONTEXT assignment in context -off 

# Fixed serious bug in eft command, forgotten ~ sign 

# Fixed these bugs in step_to_call: 

# 1) the correct logging sequence is: 

# set logging file > set logging redirect > set logging on 

# 2) $SHOW_CONTEXT is now correctly restored from $_saved_ctx 

# Fixed these bugs in trace_calls: 

# 1) the correct logging sequence is: 

# set logging file > set logging overwrite > 

# set logging redirect > set logging on 

# 2) removed the "clean up trace file" part, which is not needed now, 

# stepi output is properly redirected to /dev/null 

# 3) $S H OW_CO N T EXT is now correctly restored from $_saved_ctx 

# Fixed bug in trace_run: 

# 1) $SHOW_CONTEXT is now correctly restored from $_saved_ctx 

# Fixed print_insn_type -- removed invalid semicolons!, wrong value checking, 

# Added TODO entry regarding the "u" command 

# Changed name from gas_assemble to assemble_gas due to consistency 



Output from assemble and assemble_gas is now similar, because i made 
both of them to use objdump, with respect to output format (AT&T | Intel) . 
Whole code was checked and made more consistent, readable/maintainable. 


# Version 6.2 

# Add global variables to allow user to control stack, data and code window 
sizes 

# Increase readability for registers 

# Some corrections (hexdump, ddump, context, cfp, assemble, gas_asm, tips, 
prompt) 


# 


Version 6.1-color-user 

Took the Gentoo route and ran sed s/user/user/g 

Version 6.1-color 

Added color fixes from 

http : //gnurbs . blogsome . com/2006/12/22/colorizing-mamons-gdbinit/ 


# Version 6.1 

# Fixed filename in step_to_call so it points to /dev/null 

# Changed location of logfiles from /tmp to ~ 

# 

# Version 6 

# Added print_insn_type, get_insn_type, context-on, context-off commands 

# Added trace_calls, trace_run, step_to_call commands 

# Changed hook-stop so it checks $SHOW_CONTEXT variable 

# 

# Version 5 

# Added bpm, dump_bin, dump_hex, bp_alloc commands 

# Added 'assemble' by elaine, 'gas_asm' by mong 

# Added Tip Topics for aspiring users ;) 

# 

# Version 4 

# Added eflags-changing insns by pusillus 

# Added bp, nop, null, and int3 patch commands, also hook-stop 

# 

# Version 3 

# Incorporated elaine 's if /else goodness into the hex/ascii dump 

# 

# Version 2 

# Radix bugfix by elaine 



